This is the accessible text file for GAO report number GAO-06-560 entitled 'Internal Revenue Service: Status of Recommendations from Financial Audits and Related Financial Management Reports' which was released on June 6, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Commissioner of Internal Revenue: United States Government Accountability Office: GAO: June 2006: Internal Revenue Service: Status of Recommendations from Financial Audits and Related Financial Management Reports: GAO-06-560: GAO Highlights: Highlights of GAO-06-560, a report to the Commissioner of Internal Revenue. Why GAO Did This Study: In its role as the nation’s tax collector, the Internal Revenue Service (IRS) has a demanding responsibility in annually collecting over $2 trillion in taxes, processing hundreds of millions of tax and information returns, and enforcing the nation’s tax laws. Since its first audit of IRS’s financial statements in fiscal year 1992, GAO has identified a number of weaknesses in IRS’s financial management operations. In related reports, GAO has recommended corrective action to address those weaknesses. Each year, as part of the annual audit of IRS’s financial statements, GAO not only makes recommendations to address any new weaknesses identified but also follows up on the status of weaknesses GAO identified in previous years’ audits. The purpose of this report is to (1) assist IRS management in tracking the status of audit recommendations and actions needed to fully address them and (2) demonstrate how the recommendations fit into IRS’s overall management and internal control structure. What GAO Found: IRS has made significant progress in improving its internal controls and financial management since its first financial audit in 1992, as evidenced by 6 consecutive years of clean audit opinions on its financial statements, the resolution of several material internal control weaknesses, and the closing of over 200 financial management recommendations. This progress has been the result of hard work and commitment at the top levels of the agency. However, IRS still faces financial management challenges. At the beginning of GAO’s audit of IRS’s fiscal year 2005 financial statements, 84 financial management-related recommendations from prior audits remained open because IRS had not fully addressed the issues that gave rise to them. During the fiscal year 2005 financial audit, IRS took actions that enabled GAO to close 34 of those recommendations. At the same time, GAO identified additional internal control deficiencies resulting in 22 new recommendations. In total, 72 recommendations currently remain open. To assist IRS in evaluating its internal controls and in making improvements, GAO categorized the 72 open recommendations by various internal control activities which, in turn, were grouped into three broad control activity groupings. Table: Summary of Open Recommendations: Control activity group: Safeguarding of assets and security activities: Open in 2005: 33: Closed during 2005 audit: 13: New from 2005 audit: 9: Total open for 2006: 29: Control activity group: Proper recording and documenting of transactions: Open in 2005: 30: Closed during 2005 audit: 13: New from 2005 audit: 9: Total open for 2006: 26: Control activity group: Effective management review and oversight: Open in 2005: 21: Closed during 2005 audit: 8: New from 2005 audit: 4: Total open for 2006: 17: Control activity group: Total: Open in 2005: 84: Closed during 2005 audit: 34: New from 2005 audit: 22: Total open for 2006: 72: Source: GAO analysis of financial management recommendations made to IRS. [End of Table] [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-560]. To view the full product, including the scope and methodology, click on the link above. For more information, contact Steven J. Sebastian at (202) 512-3406 or sebastians@gao.gov. [End of Section] Contents: Letter: Results in Brief: Background: Objectives, Scope, and Methodology: IRS's Progress on Financial Management Recommendations: Open Recommendations Grouped by Control Activity: Concluding Observations: Agency Comments and Our Evaluation: Appendix I: Status of GAO Recommendations from IRS Financial Audits and Related Management Reports: Appendix II: Comments from the Internal Revenue Service: Appendix III: Staff Acknowledgments: Tables: Table 1: Summary of Open Recommendations: Table 2: Recommendations to Improve IRS's Physical Controls over Vulnerable Assets: Table 3: Recommendations to Improve IRS's Segregation of Duties: Table 4: Recommendations to Improve IRS's Controls over Information Processing: Table 5: Recommendations to Improve IRS's Access Restrictions to and Accountability for Resources and Records: Table 6: Recommendations to Improve IRS's Documentation of Transactions and Internal Control: Table 7: Recommendations to Improve IRS's Accurate and Timely Recording of Transactions and Events: Table 8: Recommendation to Improve IRS's Execution of Transactions and Events: Table 9: Recommendations to Improve IRS's Reviews by Management at the Functional or Activity Level: Table 10: Recommendations to Improve IRS's Establishment and Review of Performance Measures and Indicators: Table 11: Recommendation to Improve IRS's Management of Human Capital: Abbreviations: ALS: Automated Lien System: ATFR: Automated Trust Fund Recovery: AUR: Automated Under Reporter: AWSS: Agency-Wide Shared Services: BMF: Business Master File: BPMS: Business Performance Management System: CAP: Custodial Accounting Project: CCP: Centralized Case Processing: CCTV: closed-circuit television: CDDB: Custodial Detail Data Base: CFO: chief financial officer: CIO: chief information officer: CIQMS: complex interest quality measurement system: COTR: contracting officer's technical representative: CPE: continuing professional education: DCI: data collection instrument: FMFIA: Federal Managers' Financial Integrity Act of 1982: FMIS: Financial Management Information System: FMS: Financial Management Service: FRB: Federal Reserve Bank: IDRS: Integrated Data Retrieval System: IFS: Integrated Financial System: IMF: Individual Master File: IRM: Internal Revenue Manual: IRS: Internal Revenue Service: IT: information technology: LEM: Security Law Enforcement Manual: LMSB: Large and Mid-sized Business: LPG: Lockbox Processing Guidelines: LSG: Lockbox Security Guide: MOU: memorandum of understanding: NBIC: National Background Investigation Center: NFC: National Finance Center: OMB: Office of Management and Budget: P&E: property and equipment: POD: post of duty: PSEP: office of Physical Security and Emergency Preparedness: SATMOD: satisfied module: SB/SE: Small Business/Self-Employed: SCC: service center campus: SERP: Service-wide Electronic Research Program: SETS: Security Entry and Tracking System: SP: Submission Processing: SPC: submission processing center: TAC: taxpayer assistance center: TE/GE: Tax Exempt and Government Entities: TFRP: Trust Fund Recovery Penalty: TGA: Treasury's General Account: W&I: Wage and Investment: United States Government Accountability Office: Washington, DC 20548: June 6, 2006: The Honorable Mark W. Everson: Commissioner of Internal Revenue: Dear Mr. Everson: In its role as the nation's tax collector, the Internal Revenue Service (IRS) has a demanding responsibility to collect taxes, process tax returns, and enforce the nation's tax laws. In fiscal year 2005, IRS collected about $2.3 trillion in tax payments, processed hundreds of millions of tax and information returns, and paid about $267 billion in refunds to taxpayers. Because of its role and overall mission, IRS's activities touch on virtually all of the nation's citizens. It is therefore critical that the agency strive to maintain sound financial management practices. IRS has made much progress in improving its financial management since it was first required to prepare and have audited a set of financial statements in fiscal year 1992. This progress has led to its ability to obtain and maintain a clean audit opinion on its financial statements each year beginning in fiscal year 2000, and to correct several material internal control weaknesses over the years. Despite these considerable improvements, however, more remains to be done to address long-standing internal control issues that continue to plague the agency. IRS continues to have weak or ineffective internal controls over fundamental elements of its operations that leave it vulnerable to a greater risk of fraud, waste, abuse, and mismanagement. This, in turn, has the potential to impact the lives of the nation's taxpayers, as our audits over the years have demonstrated. An agency's internal control environment serves as the first line of defense in safeguarding its assets and in preventing and detecting errors and fraud, as well as in helping to effectively manage its stewardship over public resources.[Footnote 1] Unfortunately, IRS continues to be challenged with several long-standing material weaknesses in internal control that are at the heart of IRS's operations.[Footnote 2] During our audit of IRS's fiscal year 2005 financial statements, we continued to find material weaknesses in controls over: * financial reporting (including safeguarding of assets), * unpaid tax assessments, * identifying and collecting tax revenues due and issuing tax refunds, and: * information systems security. In addition to the material weaknesses, we continued to identify two reportable conditions, including deficiencies in controls over (1) hard- copy tax receipts and taxpayer data, which increase the government's and taxpayer's risk of loss or inappropriate disclosure of taxpayer data, and (2) property and equipment (P&E), which preclude IRS from readily reconciling its property records to its financial records. To assist IRS in strengthening its internal controls and improving its operations, we have made numerous recommendations as part of our annual financial statement audits and other financial management-related work at IRS. This report is being provided to you to (1) assist IRS management in tracking the status of financial audit and financial management-related recommendations and the actions needed to address them and (2) demonstrate how the recommendations fit into IRS's overall management and internal control structure. In cases where IRS has taken action on open recommendations that did not result in our closing them, we explain why this occurred. We conducted our review from December 2005 through May 2006 in accordance with U.S. generally accepted government auditing standards. Results in Brief: IRS management continues to make progress in addressing many of the internal control deficiencies that plague the agency. At the beginning of the fiscal year 2005 IRS financial statement audit, 84 financial management-related recommendations from prior audits remained open because IRS had not addressed the issues that gave rise to them sufficiently to allow us to close them. During the fiscal year 2005 financial audit, IRS took actions to effectively address issues that gave rise to numerous recommendations, enabling us to close 34 of those recommendations. However, more efforts are needed by IRS to effectively address its financial management challenges. During our fiscal year 2005 financial audit, we continued to identify recurring internal control deficiencies, as well as new deficiencies, and we made 22 new recommendations to address these newly identified issues. As a result, 72 recommendations to address IRS's internal control deficiencies remain open. In analyzing the nature of these open financial management recommendations, we found that 29 recommendations, or 40 percent, relate to issues associated with IRS's lack of effective controls over safeguarding assets and security activities. Another 26 recommendations, or more than a third of the open recommendations, relate to issues associated with IRS's inability to properly record and document transactions. The remaining 17 recommendations, or approximately 24 percent, relate to issues associated with lack of effective management review and oversight. Effective implementation of these open recommendations could greatly assist IRS in improving its internal controls and achieving sound financial management. We are making no new recommendations in this report. In commenting on this report, IRS highlighted its efforts to further improve its internal controls over hard-copy tax receipts, and felt our grouping of the remaining open recommendations into broad internal control categories will facilitate its strategy to address its remaining financial management issues. We have reprinted IRS's written comments in appendix II. Background: Internal control is not one event, but a series of actions and activities that occur throughout an entity's operations and on an ongoing basis. Internal control should be recognized as an integral part of each system that management uses to regulate and guide its operations rather than as a separate system within an agency. In this sense, internal control is management control that is built into the entity as a part of its infrastructure to help managers run the entity and achieve their goals on an ongoing basis. Section 3512 (c), (d) of Title 31, U.S. Code (commonly known as the Federal Managers' Financial Integrity Act of 1982 (FMFIA)), requires agencies to establish and maintain internal control. The agency head must annually evaluate and report on the control and financial systems that protect the integrity of federal programs. The requirements of FMFIA serve as an umbrella under which other reviews, evaluations, and audits should be coordinated and considered to support management's assertion about the effectiveness of internal control over operations, financial reporting, and compliance with laws and regulations. Office of Management and Budget (OMB) Circular No. A-123, Management's Responsibility for Internal Control (revised Dec. 21, 2004), provides the implementing guidance for FMFIA, and sets out the specific requirements for assessing and reporting on internal controls[Footnote 3] consistent with the internal control standards issued by the Comptroller General of the United States.[Footnote 4] The circular, which was revised in 2004 with the revisions effective for fiscal year 2006, defines management's responsibilities related to internal control and the process for assessing internal control effectiveness, and provides specific requirements for conducting management's assessment of the effectiveness of internal control over financial reporting. The circular requires management to annually provide assurances on internal control in its Performance and Accountability Report, and for the Chief Financial Officers (CFO) Act agencies, beginning in fiscal year 2006, to include a separate assurance on internal control over financial reporting, along with a report on identified material weaknesses and corrective actions.[Footnote 5] The circular also emphasizes the need for integrated and coordinated internal control assessments that synchronize all internal control-related activities. FMFIA requires GAO to issue standards for internal control in the federal government. GAO's Standards for Internal Control in the Federal Government provides the overall framework for establishing and maintaining internal control and for identifying and addressing major performance and management challenges and areas at greatest risk of fraud, waste, abuse, and mismanagement. As summarized in GAO's Standards for Internal Control in the Federal Government, the minimum level of quality acceptable for internal control in the government is defined by the following five standards, which also provide the basis against which internal controls are to be evaluated: * Control environment: Management and employees should establish and maintain an environment throughout the organization that sets a positive and supportive attitude toward internal control and conscientious management. * Risk assessment: Internal control should provide for an assessment of the risks the agency faces from both external and internal sources. * Control activities: Internal control activities help ensure that management's directives are carried out. The control activities should be effective and efficient in accomplishing the agency's control objectives. * Information and communications: Information should be recorded and communicated to management and others within the entity who need it and in a form and within a time frame that enables them to carry out their internal control and other responsibilities. * Monitoring: Internal control monitoring should assess the quality of performance over time and ensure that the findings of audits and other reviews are promptly resolved. The third control standard--internal control activities--helps ensure that management's directives are carried out. Control activities are the policies, procedures, techniques, and mechanisms that enforce management's directives. In other words, they are the activities conducted in the everyday course of business that accomplish a control objective, such as ensuring IRS employees successfully complete background checks prior to being granted access to taxpayer information and receipts. As such, control activities are an integral part of an entity's planning, implementing, reviewing, and accountability for stewardship of government resources and achievement of effective results. A key objective in our annual audits of IRS's financial statements is to obtain reasonable assurance about whether IRS maintained effective internal controls with respect to financial reporting, including safeguarding of assets, and compliance with laws and regulations. While all five internal control standards are critical and are used by us as a basis for evaluating the effectiveness of IRS's internal controls, we place a heavy emphasis on testing control activities. This has resulted in the identification of significant deficiencies in certain internal controls over the years and recommendations for corrective action. Objectives, Scope, and Methodology: The objectives of this report are to (1) assist IRS management in tracking the status of financial audit and financial management-related recommendations and the actions needed to address them and (2) demonstrate how the recommendations fit into IRS's overall management and internal control structure. To accomplish these objectives, we evaluated the effectiveness of IRS's corrective actions implemented in response to open recommendations during fiscal year 2005 as part of our fiscal years 2005 and 2004 financial audits. To report on the current status of the recommendations, we obtained the status of each recommendation and corrective action taken or planned as of April 2006, as reported to us by IRS. We then compared IRS's assessment to our fiscal year 2005 audit findings and noted any differences between IRS's and our conclusions regarding the status of each recommendation. In order to determine how these recommendations fit within IRS's management and internal control structure, we compared the open recommendations, and the issues that gave rise to them, to the control activities listed in GAO's Standards for Internal Control in the Federal Government and to the list of major factors and examples outlined in our Internal Control Management and Evaluation Tool.[Footnote 6] We also considered how the recommendations and the underlying issues were categorized in our prior reports, whether IRS had addressed in whole or in part the underlying control issues that gave rise to the recommendations, and other legal requirements and implementing guidance, such as OMB Circular No. A-123; FMFIA; and the Federal Information System Controls Audit Manual, GAO/AIMD-12.19.6 (revised June 2001). We conducted our review from December 2005 through May 2006 in accordance with U.S. generally accepted government auditing standards. We requested comments on a draft of this report from the Commissioner of Internal Revenue or his designee. We received written comments from the commissioner, which are reprinted in appendix II. IRS's Progress on Financial Management Recommendations: IRS continues to make progress on addressing its significant financial management challenges. Over the years since we first began auditing IRS's financial statements in fiscal year 1992, we have closed out over 200 financial management-related recommendations we made based on actions IRS has taken to improve its internal controls and operational efficiency. This includes 34 recommendations we are closing in fiscal year 2006 based on actions IRS took during the period covered by our fiscal year 2005 financial audit. At the same time, however, our audits continue to identify significant internal control deficiencies, resulting in our making further recommendations for corrective action, including 22 new financial management-related recommendations resulting from our fiscal year 2005 financial audit. These internal control deficiencies, and the resulting recommendations, can directly be traced to the control activities in GAO's Standards for Internal Control in the Federal Government. As such, it is essential that they be fully addressed and resolved to strengthen IRS's overall financial management and to assist it in achieving its goals and mission. Status of Recommendations Based on the Fiscal Year 2005 Financial Statement Audit: In April 2005, we issued a report on the status of IRS's efforts to implement corrective actions to address financial management recommendations stemming from our fiscal year 2004 and prior year financial audits and other financial management-related work.[Footnote 7] In that report, we identified 84 audit recommendations that at that time, remained open and thus required corrective action by IRS. A significant number of these recommendations had been open for several years, either because IRS had not taken corrective action or because the actions taken had not been effective in resolving the issues that gave rise to the recommendations. IRS continued to work to address many of the internal control deficiencies to which these open recommendations relate. In the course of performing our fiscal year 2005 financial audit, we identified numerous actions IRS took to address many of its internal control deficiencies. Based on IRS's actions, which we were able to substantiate through our audit, we are able to close 34 of these prior years' recommendations since we concluded that IRS's actions effectively addressed the issues that gave rise to them. IRS considers another 23 of the prior years' recommendations to be effectively addressed. However, we still consider them to be open either because we have not yet had time to verify the effectiveness of IRS's actions-- they occurred subsequent to completion of our audit testing and thus have not been verified, which is a prerequisite to our closing a recommendation--or because the actions taken did not fully address the issue that gave rise to the recommendation. However, continued efforts are needed by IRS to address its serious internal control weaknesses. While we are able to close 34 financial management recommendations made in prior years, this still leaves 50 recommendations from prior years that remain open, a significant number of which have been outstanding for several years. In some cases, as mentioned, IRS may have effectively addressed the issues that gave rise to the recommendations subsequent to our fiscal year 2005 audit testing; however, in many cases, our fiscal year 2005 audit determined that the actions taken to date had not effectively addressed the underlying internal control issues. Additionally, during our fiscal year 2005 audit, we identified additional internal control issues that will require corrective action by IRS. In a recent management report to IRS,[Footnote 8] we discussed these internal control issues, and made 22 new recommendations to IRS to address these new issues. Consequently, a total of 72 financial management-related recommendations are currently open and need to be addressed by IRS. Of these, we consider 64 to be short term and 8 to be long term.[Footnote 9] Appendix I presents a listing of (1) recommendations we have made based on our financial audits and other financial management-related work that we have not previously reported as closed, (2) the status of each of these recommendations and corrective actions taken or planned as of April 2006 as reported to us by IRS, and (3) our analysis of whether the issues that gave rise to the recommendations have been effectively and fully addressed based on the work performed during our fiscal year 2005 financial audit. The appendix lists the recommendations by the date on which the recommendation was made and by report number. Relation of Open Recommendations to IRS's Control Environment: An agency's overall internal control environment comprises the plans, methods, and procedures that are used to meet its mission, goals, and objectives and, in doing so, supports its performance-based management. Internal control also serves as the first line of defense in safeguarding an agency's assets and in preventing and detecting errors and mitigating the potential for fraud. Effective internal control assists program managers in achieving desired results through effective stewardship of public resources. Control activities, one of the five broad standards contained in GAO's Standards for Internal Control in the Federal Government, are the policies, procedures, techniques, and mechanisms that enforce management's directives. As such, they are an integral part of an entity's planning, implementing, reviewing, and accountability for stewardship of government resources and achievement of results. GAO's Standards for Internal Control in the Federal Government defines 11 control activities. These control activities can be further grouped into three broad categories: * safeguarding of assets and security activities, including: * physical control over vulnerable assets, * segregation of duties, * controls over information processing, and: * access restrictions to and accountability for resources and records; * proper recording and documenting of transactions, including: * appropriate documentation of transactions and internal control, * accurate and timely reporting of transactions and events, and: * proper execution of transactions and events; and: * effective management review and oversight, including: * reviews by management at the functional or activity level, * establishment and review of performance measures and indicators, * management of human capital, and: * top level reviews of actual performance. Each of the open recommendations from our financial audits and financial management-related work, and the underlying issues that gave rise to them, can be traced back to the 11 control activities and their three broad categories. Table 1 presents a summary of the open recommendations, each tied back to the control activity to which it relates. Table 1: Summary Of Open Recommendations Control activity: Safeguarding of assets and security activities; Open at start of fiscal year 2005 audit: [Empty]; Closed during fiscal year 2005 audit: [Empty]; New from fiscal year 2005 audit: [Empty]; Total open recommendations: [Empty]; Percentage: 40. Control activity: Physical control over vulnerable assets; Open at start of fiscal year 2005 audit: 17; Closed during fiscal year 2005 audit: 9; New from fiscal year 2005 audit: 5; Total open recommendations: 13; Percentage: 18. Control activity: Segregation of duties; Open at start of fiscal year 2005 audit: 4; Closed during fiscal year 2005 audit: 1; New from fiscal year 2005 audit: 0; Total open recommendations: 3; Percentage: 4. Control activity: Controls over information processing; Open at start of fiscal year 2005 audit: 8; Closed during fiscal year 2005 audit: 2; New from fiscal year 2005 audit: 0; Total open recommendations: 6; Percentage: 8. Control activity: Access restrictions to and accountability for resources and records; Open at start of fiscal year 2005 audit: 4; Closed during fiscal year 2005 audit: 1; New from fiscal year 2005 audit: 4; Total open recommendations: 7; Percentage: 10. Control activity: Proper recording and documenting of transactions; Open at start of fiscal year 2005 audit: [Empty]; Closed during fiscal year 2005 audit: [Empty]; New from fiscal year 2005 audit: [Empty]; Total open recommendations: [Empty]; Percentage: 36. Control activity: Appropriate documentation of transactions and internal controls; Open at start of fiscal year 2005 audit: 16; Closed during fiscal year 2005 audit: 10; New from fiscal year 2005 audit: 5; Total open recommendations: 11; Percentage: 15. Control activity: Accurate and timely recording of transactions and events; Open at start of fiscal year 2005 audit: 13; Closed during fiscal year 2005 audit: 3; New from fiscal year 2005 audit: 4; Total open recommendations: 14; Percentage: 20. Control activity: Proper execution of transactions and events; Open at start of fiscal year 2005 audit: 1; Closed during fiscal year 2005 audit: 0; New from fiscal year 2005 audit: 0; Total open recommendations: 1; Percentage: 1. Control activity: Effective management review and oversight; Open at start of fiscal year 2005 audit: [Empty]; Closed during fiscal year 2005 audit: [Empty]; New from fiscal year 2005 audit: [Empty]; Total open recommendations: [Empty]; Percentage: 24. Control activity: Reviews by management at the functional or activity level; Open at start of fiscal year 2005 audit: 14; Closed during fiscal year 2005 audit: 6; New from fiscal year 2005 audit: 4; Total open recommendations: 12; Percentage: 17. Control activity: Establishment and review of performance measures and indicators; Open at start of fiscal year 2005 audit: 4; Closed during fiscal year 2005 audit: 0; New from fiscal year 2005 audit: 0; Total open recommendations: 4; Percentage: 6. Control activity: Management of human capital; Open at start of fiscal year 2005 audit: 3; Closed during fiscal year 2005 audit: 2; New from fiscal year 2005 audit: 0; Total open recommendations: 1; Percentage: 1. Control activity: Total; Open at start of fiscal year 2005 audit: 84; Closed during fiscal year 2005 audit: 34; New from fiscal year 2005 audit: 22; Total open recommendations: 72; Percentage: [Empty]. Source: GAO analysis of financial management recommendations made to IRS. [End of table] As table 1 indicates, many of IRS's open recommendations are tied to safeguarding and security issues. Specifically, 29 of the open recommendations, or 40 percent, relate to issues associated with IRS's lack of effective controls over safeguarding of assets and security activities. Another 26 recommendations, or 36 percent, relate to issues associated with IRS's inability to properly record and document transactions. The remaining 17 recommendations, or 24 percent, relate to issues associated with the lack of effective management review and oversight. Open Recommendations Grouped by Control Activity: Linking the open recommendations from our financial audits and other financial management-related work, and the issues that gave rise to them, to the internal control activities identified in GAO's Standards for Internal Control in the Federal Government provides insight regarding their significance to IRS's ability to effectively achieve the objectives associated with the control activities and, thus, to its overall mission and goals. On the following pages, we group the 72 open recommendations under the control activity to which the condition that gave rise to them most appropriately fits. We first define each control activity as presented in GAO's Standards for Internal Control in the Federal Government and briefly identify some of the key IRS operations that fall under that control activity. Although not comprehensive, the descriptions are intended to help explain why the control activity is important for IRS and thus why implementing the recommendations would strengthen management and controls that support those operations. For each recommendation, we also indicate whether it is a short-term or long- term recommendation. Safeguarding of Assets and Security Activities: Given IRS's mission, the sensitivity of the data it maintains, and its processing of trillions of dollars of tax receipts each year, one of the most important control activities at IRS is the safeguarding of assets. Internal control should be designed to provide reasonable assurance regarding prevention or prompt detection of unauthorized acquisition, use, or disposition of an agency's assets. We have grouped together the four control activities in GAO's Standards for Internal Control in the Federal Government that relate to safeguarding of assets (including tax receipts) and security activities (such as limiting access to only authorized personnel): (1) physical control over vulnerable assets, (2) segregation of duties, (3) controls over information processing, and (4) access restrictions to and accountability for resources and records. Physical Control over Vulnerable Assets: An agency must establish physical control to secure and safeguard vulnerable assets. Examples include security for and limited access to assets such as cash, securities, inventories, and equipment which might be vulnerable to risk of loss or unauthorized use. Such assets should be periodically counted and compared to control records. IRS is charged with collecting over $2 trillion in taxes each year, a significant amount of which is collected in the form of checks and cash accompanied by tax returns and related information. IRS collects taxes both at its own facilities as well as at lockbox banks that operate under contract with the Treasury Department's Financial Management Service (FMS) to provide processing services for certain taxpayer receipts for IRS. IRS acts as custodian for (1) the tax payments it receives until they are deposited in the General Fund of the U.S. Treasury and (2) the tax returns and related information it receives until they are either sent to the Federal Records Center or destroyed. IRS is also charged with controlling many other assets, such as computers and other equipment, but IRS's legal responsibility to safeguard tax returns and the confidential information taxpayers provide in tax returns makes the effectiveness of its internal controls with respect to physical security essential. IRS receives cash and checks mailed to its service centers or lockbox banks with accompanying tax returns and information or payment vouchers and payments made in person at one of its offices. While adequate physical safeguards over receipts should exist throughout the year, it is especially important during the peak tax filing season. Each year during the weeks preceding and shortly after April 15, an IRS service center campus (SCC) may receive and process daily over 100,000 pieces of mail containing returns, receipts, or both. The dollar value of receipts each service center processes increases to hundreds of millions of dollars a day during the April 15 time frame. Of our 72 open recommendations, the following 13 open recommendations are designed to improve IRS's physical controls over vulnerable assets. (See table 2.) Table 2: Recommendations To Improve Irs's Physical Controls Over Vulnerable Assets: ID. No.: 99-19; Recommendations: Ensure that walk-in payment receipts are recorded in a control log prior to depositing the receipts in the locked container and ensure that the control log information is reconciled to receipts prior to submission of the receipts to another unit for payment processing. To ensure proper segregation of duties, an employee not responsible for logging receipts in the control log should perform the reconciliation. (short-term). ID. No.: 03-32; Recommendations: Prohibit the storage of employees' personal belongings with cash payments and receipts at IRS's taxpayer assistance centers. (short-term). ID. No.: 04-07; Recommendations: Develop procedures to enhance adherence to existing instructions on safeguarding discovered remittances at SCCs. (short- term). ID. No.: 04-08; Recommendations: Enforce its policies and procedures to ensure that SCC security guards respond to alarms. (short-term). ID. No.: 04-09; Recommendations: Establish compensating controls in the event that automated security systems malfunction, such as notifying guards and managers of the malfunction, and immediately deploying guards to better protect the processing center's perimeter. (short- term). ID. No.: 05-25; Recommendations: Formulate a policy to require that critical utility or security controls not be located in areas requiring frequent access. (short-term). ID. No.: 05-26; Recommendations: Require lockbox bank management to position closed- circuit television cameras to enable monitoring of secured areas containing sensitive systems or controls. (short-term). ID. No.: 05-34; Recommendations: Establish a procedure for Small Business/Self-Employed (SB/SE) field office units to track Document Transmittal forms and acknowledgments of receipt of Document Transmittal forms. (short-term). ID. No.: 06-05; Recommendations: Equip all taxpayer assistance centers (TACs) with adequate physical security controls to deter and prevent unauthorized access to restricted areas or office space occupied by other IRS units, including those TACs that are not scheduled to be reconfigured to the "new TAC" model in the near future. This includes appropriately separating customer service waiting areas from restricted areas by physical barriers such as locked doors marked with signs barring entrance by unescorted customers. (short-term). ID. No.: 06-06; Recommendations: Connect duress alarms to a central monitoring station or local police department or institute appropriate compensating controls when these alarm systems are not operable or in place. (short- term). ID. No.: 06-08; Recommendations: Enforce the requirement that all security or other responsible personnel at SCCs and lockbox banks record all instances involving the activation of intrusion alarms regardless of the circumstances that may have caused the activation. (short-term). ID. No.: 06-09; Recommendations: Reemphasize the need for the security guards at all TACs to ensure that key posts of duty, such as entrances to facilities, are not left unattended. (short-term). ID. No.: 06-15; Recommendations: Revise the physical security procedures contained in the IRM (Internal Revenue Manual) to require that all SCCs and any respective annex facilities processing taxpayer receipts and/or information perform and document monthly tests of the facility's intrusion detection alarms. At a minimum, these procedures should (1) outline the type of test to be conducted, (2) include criteria for assessing whether the controls used to respond to the alarm were effective, and (3) require that a logbook be maintained to document the test dates, results, and response information. (short- term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Segregation of Duties: Key duties and responsibilities need to be divided or segregated among different people to reduce the risk of error or fraud. This should include separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets. No one individual should control all key aspects of a transaction or event. IRS employees are responsible for processing trillions of dollars of tax receipts each year, of which hundreds of billions are received in the form of cash or checks,[Footnote 10] and for processing hundreds of billions of dollars in refunds to taxpayers. Consequently, it is critical that IRS maintain appropriate separation of duties to allow for adequate oversight of staff and protection of these vulnerable resources so that no single individual would be in a position of both causing an error or irregularity and then concealing it. For example, when an IRS field office or lockbox bank receives taxpayer receipts and returns, it is responsible for depositing the cash and checks in a depository institution and forwarding the related information received to an SCC for further processing. In order to adequately safeguard receipts from theft, the person responsible for recording the information from the taxpayer receipts on a voucher should be different from the individual who prepares those receipts for transmittal to the SCC for further processing. The following three open recommendations would help IRS improve its separation of duties, which will in turn strengthen its controls over both tax receipts and refunds. (See table 3.) Table 3: Recommendations To Improve Irs's Segregation Of Duties: ID. No.: 02-16; Recommendations: Ensure that field office management comply with existing receipt control policies that require a segregation of duties between employees who prepare control logs for walk-in payments and employees who reconcile the control logs to the actual payments. (short- term). ID. No.: 05-32; Recommendations: Establish policies and procedures to require appropriate segregation of duties in SB/SE units of field offices with respect to preparation of Payment Posting Vouchers, Document Transmittal forms, and transmittal packages. (short-term). ID. No.: 05-41; Recommendations: Specify in the IRM that staff members are not to review their own command code profiles. (short-term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Controls over Information Processing: A variety of control activities are used in information processing. Examples include edit checks of data entered, accounting for transactions in numerical sequences, and comparing file totals with control totals. There are two broad groupings of information systems control--general control (for hardware such as mainframe, network, end- user environments) and application control (processing of data within the application software). General controls include entitywide security program planning, management, and backup recovery procedures, and contingency and disaster planning. Application controls are designed to help ensure completeness, accuracy, authorization, and validity of all transactions during application processing. IRS relies extensively on computerized systems to support its financial and mission-related operations. To efficiently fulfill its tax processing responsibilities, IRS relies extensively on interconnected networks of computer systems to perform various functions, such as collecting and storing taxpayer data, processing tax returns, calculating interest and penalties, generating refunds, and providing customer service. As part of our annual audits of IRS's financial statements, we assess the effectiveness of IRS's information security controls[Footnote 11] over key financial systems, data, and interconnected networks at IRS's critical data processing facilities that support the processing, storage, and transmission of sensitive financial and taxpayer data. From that effort, we have identified over the years information security control weaknesses that impair IRS's ability to ensure the confidentiality, integrity, and availability of its sensitive financial and taxpayer data. As of March 2006, there were 45 open recommendations from our information security work designed to improve IRS's information security controls.[Footnote 12] Recommendations resulting from our information security work are reported separately and are not included in this report primarily because of the sensitive nature of some of these issues. However, the following six open recommendations are related to systems limitations and IRS's need to review and resolve various exception reports that its systems generate. (See table 4.) We included reviews of exception reports in this control activity since they help ensure the integrity of IRS's automated data.[Footnote 13] Table 4: Recommendations To Improve Irs's Controls Over Information Processing: ID. No.: 02-18; Recommendations: Work with the National Finance Center (NFC) to resolve the technical limitations that exist within the Secure Entry and Tracking System (SETS) database and continue to periodically review SETS data to detect and correct errors. (short-term). ID. No.: 05-03; Recommendations: Research and resolve the current backlog of unresolved unmatched exception reports. (short-term). ID. No.: 05-04; Recommendations: Research and resolve unmatched exception reports weekly. (short-term). ID. No.: 05-06; Recommendations: Research and resolve the current backlog of unresolved manual interest or penalties reports. (short- term). ID. No.: 05-07; Recommendations: Research and resolve exception reports containing liens with manually calculated interest or penalties weekly, as called for in the IRM and the ALS[A] User Guide. (short-term). ID. No.: 05-09; Recommendations: Improve the current unmatched exception report by including a cumulative list of all unmatched taxpayer accounts that have not been resolved to date. (short-term). Source: GAO analysis of financial management recommendations made to IRS. [A] ALS stands for Automated Lien System. [End of table] Access Restrictions to and Accountability for Resources and Records: Access to resources and records should be limited to authorized individuals, and accountability for their custody and use should be assigned and maintained. Periodic comparison of resources with the recorded accountability should be made to help reduce the risk of errors, fraud, misuse, or unauthorized alteration. Because IRS deals with a large volume of cash and checks, it is imperative that it maintain strong controls over who has access to those assets, the records that track those assets, and sensitive taxpayer information. Although IRS has a number of both physical and information system controls in place, some of the issues we have identified in our financial audits over the years pertain to ensuring that those with direct access to these cash and checks are appropriately vetted before being granted access to taxpayer receipts and information and to ensuring that IRS maintains effective access security control. The following seven open recommendations would help IRS improve its access restrictions to assets and records. (See table 5.) Table 5: Recommendations To Improve Irs's Access Restrictions To And Accountability For Resources And Records: ID. No.: 03-29; Recommendations: Confirm with FMS that IRS's requirements for background and fingerprint checks for courier services are met regardless of whether IRS or FMS negotiates the service agreement. (short-term). ID. No.: 05-11; Recommendations: Enforce adherence to existing instructions on safeguarding taxpayer receipts and information, such as securing access and candling procedures, at SCCs selected for significant reductions in their submission processing functions. (short-term). ID. No.: 05-13; Recommendations: Enforce its existing requirement that appropriate background investigations be completed for contractors before they are granted staff-like access to service centers. (short- term). ID. No.: 06-16; Recommendations: Amend its policy to require that a completed form 13094 with a positive recommendation be provided for every juvenile hired to any position that will allow access to taxpayer receipts and/or taxpayer information. (short-term). ID. No.: 06-17; Recommendations: Require IRS personnel to verify the information on the form 13094 by contacting the reference directly. (short-term). ID. No.: 06-18; Recommendations: Revise the form 13094 to require the reference to describe his/her relationship with the juvenile, including extent of firsthand contact, to allow IRS to review the forms and assess whether the referencer has sufficient basis to recommend that juvenile to a position of trust. (short-term). ID. No.: 06-19; Recommendations: Establish procedures for hiring juveniles who do not have a current teacher, principal, counselor, employer or former employer, and clarify that IRS's current policies and procedures should not be interpreted to mean that such juveniles should be allowed access to taxpayer receipts and information without a form 13094 or its equivalent. These procedures could include a list of acceptable alternatives that may serve as references for juveniles who do not have a current teacher, principal or guidance counselor. (short- term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Proper Recording and Documenting of Transactions: One of the largest obstacles continuing to face IRS management is the agency's lack of an integrated financial management system capable of producing the accurate, useful, and timely information IRS managers need to assist in making day-to-day decisions. While progress is being made to modernize its financial management capabilities, IRS nonetheless continues to face many of the pervasive internal control weaknesses that we have reported each year since we began auditing its financial statements in fiscal year 1992, many of which are related to its long-standing systems deficiencies. However, IRS also has a number of internal control issues that relate to recording transactions, documenting events, and tracking the processing of taxpayer receipts or information, which do not depend upon improvements in information systems. We have grouped three control activities together that relate to proper recording and documenting of transactions: (1) appropriate documentation of transactions and internal controls, (2) accurate and timely recording of transactions and events, and (3) proper execution of transactions and events. Appropriate Documentation of Transactions and Internal Control: Internal control and all transactions and other significant events need to be clearly documented, and the documentation should be readily available for examination. The documentation should appear in management directives, administrative policies, or operating manuals and may be in paper or electronic form. All documentation and records should be properly managed and maintained. IRS collects and processes trillions of dollars in taxpayer receipts annually both at its own facilities and at lockbox banks under contract to process taxpayer receipts for the federal government. Therefore, it is important that IRS maintain appropriate assurance that all documents and records are properly managed and maintained both at its facilities and at the lockbox banks. The following 11 open recommendations would assist IRS in improving its documentation of transactions and internal control procedures. (See table 6.) Table 6: [RECOMMENDATIONS TO IMPROVE IRS'S DOCUMENTATION OF TRANSACTIONS AND INTERNAL CONTROL] ID. No.: 04-03; Recommendations: Develop procedures to require lockbox managers to provide satisfactory evidence that managerial reviews are performed in accordance with established guidelines. At a minimum, reviewers should sign and date the reviewed documents and provide any comments that may be appropriate in the event their reviews identified problems or raised questions. (short-term). ID. No.: 05-12; Recommendations: Document a methodology for estimating anticipated rapid changes in mail volume at future SCCs selected for significant reductions in their submission processing functions, taking into consideration factors such as the prior rampdown experience at Brookhaven. (short-term). ID. No.: 05-14; Recommendations: Require that background investigation results for contractors (or evidence thereof) be on file where necessary, including at contractor work sites and security offices responsible for controlling access to sites containing taxpayer receipts and information. (short-term). ID. No.: 05-35; Recommendations: Require evidence of managerial review of recording, transmittal, and receipt of acknowledgments of taxpayer receipts and information. (short-term). ID. No.: 05-39; Recommendations: Enforce requirements for documenting monitoring actions and supervisory review. (short-term). ID. No.: 05-42; Recommendations: Specify in the IRM how to properly verify interest and penalties for accounts with liens with manually calculated interest or penalties. (short-term). ID. No.: 06-01; Recommendations: Require that Refund Inquiry Unit managers or supervisors document their review of all forms used to record and transmit returned refund checks prior to sending them for final processing. (short-term). ID. No.: 06-02; Recommendations: Enforce compliance with existing requirements that all IRS units transmitting taxpayer receipts and information from one IRS facility to another, including SCCs, TACs, and units within IRS's Large and Mid-sized Business (LMSB) and Tax Exempt and Government Entity (TE/GE), establish a system to track acknowledged copies of document transmittals. (short-term). ID. No.: 06-03; Recommendations: Provide instructions to document the follow-up procedures performed in those cases where transmittals have not been timely acknowledged. (short-term). ID. No.: 06-04; Recommendations: Require that managers or supervisors document their reviews of document transmittals to ensure that taxpayer receipts and/or taxpayer information mailed between IRS locations are tracked according to guidelines. (short-term). ID. No.: 06-07; Recommendations: Document supervisory visits by offsite managers to TACS not having a manager permanently onsite. This documentation should be signed by the manager and should (1) record the time and date of the visit, (2) identify the manager performing the visit, (3) indicate the tasks performed during the visit, (4) note any problems identified, and (5) describe corrective actions planned. (short-term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Accurate and Timely Recording of Transactions and Events: Transactions should be promptly recorded to maintain their relevance and value to management in controlling operations and making decisions. This applies to the entire process or life cycle of a transaction or event from the initiation and authorization through its final classification in summary records. In addition, control activities help to ensure that all transactions are completely and accurately recorded. IRS is responsible for maintaining taxpayer records for tens of millions of taxpayers in addition to maintaining its own financial records. To carry out this responsibility, IRS often has to rely on outdated computer systems or manual work-arounds. Unfortunately, some of IRS's recordkeeping difficulties we have reported on over the years will not be addressed until it can replace its aging systems, which is a long-term effort and is dependent on future funding. The following 14 open recommendations would strengthen IRS's recordkeeping abilities. (See table 7.) They include some specific recommendations regarding requirements for new systems for maintaining taxpayer records. Several of the recommendations listed affect financial reporting processes, such as subsidiary records and appropriate allocation of costs. Some of the issues that gave rise to certain of our recommendations directly affect taxpayers, such as those involving duplicate assessments, errors in calculating and reporting manual interest, and recovery of trust fund penalty assessments. Half of these recommendations are almost over 5 years old and 1 is over 10 years old, reflecting the long-term nature of the resolution of some of these issues. Table 7: Recommendations To Improve Irs's Accurate And Timely Recording Of Transactions And Events: ID. No.: 94-2; Recommendations: Monitor implementation of actions to reduce the errors in calculating and reporting manual interest on taxpayer accounts, and test the effectiveness of these actions. (short- term). ID. No.: 99-1; Recommendations: Manually review and eliminate duplicate or other assessments that have already been paid off to assure all accounts related to a single assessment are appropriately credited for payments received. (short-term). ID. No.: 99-3; Recommendations: Ensure that IRS's modernization blueprint includes developing a subsidiary ledger to accurately and promptly identify, classify, track, and report all IRS unpaid assessments by amount and taxpayer. This subsidiary ledger must also have the capability to distinguish unpaid assessments by category in order to identify those assessments that represent taxes receivable versus compliance assessments and write-offs. In cases involving trust fund recovery penalties, the subsidiary ledger should ensure that (1) the trust fund recovery penalty assessment is appropriately tracked for all taxpayers liable but counted only once for reporting purposes and (2) all payments made are properly credited to the accounts of all individuals assessed for the liability. (short-term). ID. No.: 99-20; Recommendations: Analyze and determine the factors causing delays in processing and posting trust fund recovery penalty assessments. Once these factors have been determined, IRS should develop procedures to reduce the impact of these factors and to ensure timely posting to all applicable accounts and proper offsetting of refunds against unpaid assessments before issuance. (short-term). ID. No.: 99-36; Recommendations: Make enhancements to IRS financial systems to include recording P&E and capital leases as assets when purchased and to generate detailed records for P&E that reconcile to the financial records. (long-term). ID. No.: 01-17; Recommendations: Develop a subsidiary ledger for leasehold improvements and implement procedures to record leasehold improvement costs as they occur. (long-term). ID. No.: 01-39; Recommendations: Develop a mechanism to track and report the actual costs associated with reimbursable activities. (long- term). ID. No.: 02-08; Recommendations: Implement policies and procedures to require that all employees itemize on their time cards the time spent on specific projects. (long-term). ID. No.: 02-09; Recommendations: Implement policies and procedures to allocate nonpersonnel costs to programs and activities on a routine basis throughout the year. (long-term). ID. No.: 05-36; Recommendations: Assess options to prevent the generation or disbursement of refunds associated with accounts with unresolved Automated Under Reporter (AUR) discrepancies, including placement of a freeze or hold on all such accounts, until the AUR review has been completed. (short-term). ID. No.: 06-12; Recommendations: Enforce its existing policies and procedures at lockbox banks to ensure that all remittances of $50,000 or more are processed immediately and deposited at the first available opportunity. (short-term). ID. No.: 06-20; Recommendations: To assure proper accounting treatment of expense and P&E transactions and reliable financial reporting, we recommend that IRS enforce its property and equipment capitalization policy to ensure that it is properly implemented to fully achieve management's objectives, including recognizing assets when its capitalization criteria is met and recognizing expenses when it is not. (short-term). ID. No.: 06-21; Recommendations: Generate aging reports when an asset remains in pending disposal status for longer than a specified period of time. (short-term). ID. No.: 06-22; Recommendations: Direct Facilities Management Branch managers to research and resolve the aging reports. (short-term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Proper Execution of Transactions and Events: Transactions and other significant events should be authorized and executed only by persons acting within the scope of their authority. This is the principal means of assuring that only valid transactions to exchange, transfer, use, or commit resources and other events are initiated or entered into. Authorizations should be clearly communicated to managers and employees. IRS employs tens of thousands of people in its 10 SCCs, three computing centers, and numerous field offices throughout the United States. In addition, the number of staff increases significantly during the peak of the tax filing season. Because of the tremendous number of personnel involved, IRS must maintain effective control over which employees are authorized to either view or change sensitive taxpayer data. IRS's ability to establish access rights and permissions for information systems is a critical control. Each year, IRS pays out hundreds of billions of dollars in tax refunds, some of which are distributed to taxpayers manually.[Footnote 14] IRS requires that all manual refunds be approved by officials who are designated by managers. However, weaknesses in the authorization of such approving officials expose the federal government to losses because of the issuance of improper refunds. The following open recommendation would improve IRS's controls over its manual refund transactions. (See table 8.) Table 8: Recommendation To Improve Irs's Execution Of Transactions And Events: ID. No.: 05-37; Recommendation: Enforce documentation requirements relating to authorizing officials charged with approving manual refunds. (short- term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Effective Management Review and Oversight: All personnel within IRS have an important role in making internal controls work, but the responsibility for good internal control rests with IRS's managers. Management sets the objectives, puts the control mechanisms and activities in place, and monitors and evaluates the controls. Without effective monitoring by managers, internal control activities may not be conducted on a consistent and timely basis. We have grouped three control activities together related to effective management review and oversight: (1) reviews by management at the functional or activity level, (2) establishment and review of performance measures and indicators, and (3) management of human capital. Although we also include the control activity "top level reviews of actual performance" in this grouping, we do not have any open recommendations to IRS related to this internal control activity. Reviews by Management at the Functional or Activity Level: Managers need to compare actual performance to planned or expected results throughout the organization and analyze significant differences. IRS has over 80,000 full-time employees and hires over 10,000 seasonal personnel to assist during the tax filing season. In addition, as discussed earlier, IRS contracts with banks to process tens of thousands of individual receipts, totaling hundreds of billions of dollars. At any organization, management oversight of operations is important, but with an organization as vast in scope as the IRS, management oversight is imperative. The following 12 open recommendations would improve IRS's management oversight. (See table 9.) In general, these recommendations were made to correct instances where an internal control activity either does not exist or where an established control is not being adequately or consistently applied. The majority of these recommendations emphasize improvements needed to IRS's oversight of lockbox banks and contracted courier programs in order to ensure appropriate physical control over vulnerable assets, such as taxpayer receipts. Table 9: Recommendations To Improve Irs's Reviews By Management At The Functional Or Activity Level: ID. No.: 99-22; Recommendations: Expand IRS's current review of service center deterrent controls to include similar analyses of controls at IRS field offices in areas such as courier security, safeguarding of receipts in locked containers, requirements for fingerprinting employees, and requirements for promptly over-stamping checks made out to the "IRS" with "Internal Revenue Service" or "United States Treasury." Based on the results, IRS should make appropriate changes to strengthen its physical security controls. (short-term). ID. No.: 01-06; Recommendations: Implement procedures to closely monitor the release of tax liens to ensure that they are released within 30 days of the date the related tax liability is fully satisfied. As part of these procedures, IRS should carefully analyze the causes of the delays in releasing tax liens identified by our work and prior work by IRS's former internal audit function and ensure that such procedures effectively address these issues. (short-term). ID. No.: 03-15; Recommendations: Require lockbox management to ensure that envelopes are properly candled and that IRS takes steps to monitor adherence to this requirement. (short-term). ID. No.: 05-22; Recommendations: Provide a written reminder to courier contractors of the need to adhere to all courier service procedures. (short-term). ID. No.: 05-23; Recommendations: Periodically verify that contractors entrusted with taxpayer receipts and information off-site adhere to IRS procedures. (short-term). ID. No.: 05-33; Recommendations: Enforce the requirement that a document transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages, using such methods as more frequent inspections or increased reliance on error reports compiled by the service center teller units receiving the information. (short-term). ID. No.: 05-38; Recommendations: Enforce requirements for monitoring accounts and reviewing monitoring of accounts. (short-term). ID. No.: 05-40; Recommendations: Enforce the requirement that command code profiles be reviewed at least once annually. (short-term). ID. No.: 06-10; Recommendations: Revise the lockbox bank's security review checklist to ensure that it encompasses reviewing security incident reports to validate whether security personnel are providing corrective actions related to the incidents cited. (short-term). ID. No.: 06-11; Recommendations: Refine the scope and nature of IRS's periodic reviews of candling processes at SCCs to ensure they (1) encompass tests of whether envelopes are properly candled through observation of candling in process and inquiry of employees who perform initial and final candling and (2) document the nature and scope of the test and observation results. (short-term). ID. No.: 06-13; Recommendations: Refine the scope and nature of IRS's periodic reviews of lockbox banks to include high-dollar remittances to better monitor adherence to the requirement that they are processed immediately and deposited at the first available opportunity. (short- term). ID. No.: 06-14; Recommendations: Refine the scope and nature of IRS's periodic security reviews to encompass (1) testing the effectiveness of controls intended to ensure that only individuals with proper credentials are permitted access to SCCs and lockbox banks and (2) reviewing the integrity of perimeter security at SCCs. (short-term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Establishment and Review of Performance Measures and Indicators: Activities need to be established to monitor performance measures and indicators. These controls could call for comparisons and assessments relating different sets of data to one another so that analyses of the relationships can be made and appropriate actions taken. Controls should also be aimed at validating the propriety and integrity of both organizational and individual performance measures and indicators. IRS's operations include a vast array of activities encompassing taxpayer education, processing of taxpayer receipts and data, disbursing hundreds of billions of dollars in refunds to millions of taxpayers, maintaining extensive information on tens of millions of taxpayers, and seeking collection from individuals and businesses that fail to comply with the nation's tax laws. Within its compliance function, IRS has numerous activities, including identifying businesses and individuals that underreport income, collecting from taxpayers that do not pay, and collecting from those receiving refunds for which they are not eligible. Although IRS has at its peak over 90,000 employees, it still faces resource constraints in attempting to fulfill its duties. Because of this, it is vitally important for IRS to have sound performance measures to assist it in assessing its performance and targeting its resources in a manner that maximizes the government's return on investment. However, in past audits we have reported that IRS did not capture cost at the program or activity level to assist in developing cost-based performance measures for its various programs and activities. As a result, IRS is unable to measure the costs and benefits of its various collection and enforcement efforts to best target its available resources. Additionally, we have reported that IRS's controls over its reporting of interim performance measurement data were not effective throughout the year because the data reported at interim periods for certain performance measures were either not accurate or were outdated. The following four open recommendations are designed to assist IRS in evaluating its operations, determining which activities are the most beneficial, and establishing a good system for oversight. (See table 10.) These recommendations call for IRS to measure, track, and evaluate the cost, benefits, or outcomes of its operations--particularly with regard to identifying its most effective tax collection activities. Table 10: Recommendations To Improve Irs's Establishment And Review Of Performance Measures And Indicators: ID. No.: 99-29; Recommendations: Develop the data to support meaningful cost information categories and cost-based performance measures. (long- term). ID. No.: 01-04; Recommendations: As an alternative to prematurely suspending active collection efforts, and using the best available information, develop reliable cost-benefit data relating to collection efforts for cases with some collection potential. These cost-benefit data would include the full cost associated with the increased collection activity (i.e., salaries, benefits, and administrative support) as well as the expected additional tax collections generated. (long-term). ID. No.: 01-12; Recommendations: For (1) IRS's AUR and Combined Annual Wage Reporting programs, (2) screening and examination of Earned Income Tax Credit (EITC) claims, and (3) identifying and collecting previously disbursed improper refunds, use the best available information to develop reliable cost-benefit data to estimate the tax revenue collected by, and the amount of improper refunds returned to, IRS for each dollar spent pursuing these outstanding amounts. These data would include (1) an estimate of the full cost incurred by IRS in performing each of these efforts, including the salaries and benefits of all staff involved, as well as any related nonpersonnel costs, such as supplies and utilities, and (2) the actual amount (a) collected on tax amounts assessed and (b) recovered on improper refunds disbursed. (long-term). ID. No.: 04-15; Recommendations: Until the Business Performance Management System (BPMS) is fully operational, implement procedures to ensure that all performance data reported in the Monthly Summary of Performance (MSP) report are subject to effective, documented reviews to provide reasonable assurance that the data are current at interim periods. (short-term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Management of Human Capital: Effective management of an organization's workforce--its human capital- -is essential to achieving results and an important part of internal control. Management should view human capital as an asset rather than a cost. Only when the right personnel for the job are on board and are provided the right training, tools, structure, incentives, and responsibilities is operational success possible. Management should ensure that skill needs are continually assessed and that the organization is able to obtain a workforce that has the required skills that match those necessary to achieve organizational goals. Training should be aimed at developing and retaining employee skill levels to meet changing organizational needs. Qualified and continuous supervision should be provided to ensure that internal control objectives are achieved. Performance evaluation and feedback, supplemented by an effective reward system, should be designed to help employees understand the connection between their performance and the organization's success. As a part of its human capital planning, management should also consider how best to retain valuable employees, plan for their eventual succession, and ensure continuity of needed skills and abilities. IRS's operations cover a wide range of technical competencies with specific expertise needed in tax-related matters; financial management; and systems design, development, and maintenance. Because IRS has tens of thousands of employees spread throughout the country, management's responsibility to keep its guidance up-to-date and its staff properly trained is imperative. The following open recommendation would assist IRS in its management of human capital in its financial operations. (See table 11.) The recommendation is over 5 years old and may be resolved through IRS's business systems modernization efforts. Table 11: Recommendation To Improve Irs's Management Of Human Capital: ID. No.: 99-25; Recommendation: Ensure that additional staff are employed or existing staff appropriately cross-trained to be able to perform the master file extractions and other ad hoc procedures needed for IRS to continually develop reliable balances for financial reporting purposes. (short- term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Concluding Observations: Increased budgetary pressures and an increased public awareness of the importance of internal control require IRS to operate more efficiently and more effectively in its mission while protecting taxpayers and their information. Sound financial management and effective internal controls can assist IRS in achieving its goals. IRS has made substantial progress in improving its financial management since its first financial audit, as evidenced by consecutive clean audit opinions on its financial statements for the past 6 years, resolution of several material internal control weaknesses, and the closing of hundreds of financial management recommendations. This progress has been the result of hard work and commitment at the top. Nonetheless, more needs to be done to fully address the financial management challenges the agency faces. Efforts must continue to address the internal control deficiencies that continue to exist. Effective implementation of the recommendations we have made and continue to make through our financial audits and related work could greatly assist IRS in improving its internal controls and achieving sound financial management. Agency Comments and Our Evaluation: In commenting on a draft of this report, IRS expressed its appreciation that we acknowledged the progress the agency has made in addressing its financial management challenges, and noted that our mapping of its remaining recommendations to specific internal control activities and grouping them into three broad categories will facilitate its strategy to address the remaining financial management issues. IRS also highlighted its efforts to further improve its internal controls over hard-copy tax receipts, noting that its plan to address these issues now includes comprehensive actions to address our remaining recommendations covering lockbox banks, submission processing campuses, taxpayer assistance centers, and field offices. We will review the effectiveness of these corrective actions and the status of IRS's progress in addressing all open recommendations as part of our fiscal year 2006 IRS financial statement audit. We are sending copies of this report to the Chairmen and Ranking Minority Members of the Senate Committee on Appropriations; Senate Committee on Finance; Senate Committee on Homeland Security and Governmental Affairs; and Subcommittee on Taxation and IRS Oversight, Senate Committee on Finance. We are also sending copies to the Chairmen and Ranking Minority Members of the House Committee on Appropriations; House Committee on Ways and Means; Chairman and Vice Chairman of the Joint Committee on Taxation, the Secretary of the Treasury, the Director of the Office of Management and Budget, the Chairman of the IRS Oversight Board, and other interested parties. Copies will be made available to others upon request. In addition, the report will be available at no charge on GAO's Web site at http://www.gao.gov. If you have any questions concerning this report, please contact me at (202) 512-3406 or sebastians@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs can be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix III. Sincerely yours, Signed by: Steven J. Sebastian: Director Financial Management and Assurance: [End of section] Appendix I Status of GAO Recommendations from IRS Financial Audits and Related Management Reports: Count: 1; ID. No.: 94-2; Recommendation: Monitor implementation of actions to reduce the errors in calculating and reporting manual interest on taxpayer accounts, and test the effectiveness of these actions. (short-term); Source report: Financial Management: Important IRS Revenue Information Is Unavailable or Unreliable (GAO/AIMD-94-22, Dec. 21, 1993); Per IRS: Open. The five errors identified in the FY05 Financial Statement Audit were resolved. The Complex Interest Quality Measurement System (CIQMS) staff assisted GAO with their sample review for the FY06 Audit. Once GAO completes their audit, CIQMS will continue to provide assistance as subject matter experts; Per GAO: Open. In testing a statistical sample of 45 manual interest transactions recorded during fiscal year 2005, we found five errors relating to the calculation and recording of manually calculated interest. We estimate that 11 percent of IRS's manual interest population contains errors and concluded that IRS controls over this area remain ineffective. We will continue to test the accuracy of IRS's manual interest calculations during our fiscal year 2006 financial audit. Count: 2; ID. No.: 99-1; Recommendation: Manually review and eliminate duplicate or other assessments that have already been paid off to assure all accounts related to a single assessment are appropriately credited for payments received. (short-term); Source report: Internal Revenue Service: Immediate and Long-Term Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct. 30, 1998); Per IRS: Open. IRS has taken several actions to strengthen controls and correct programming or procedural deficiencies in the cross referencing of payments. To ensure quality, timeliness, and accuracy of the Trust Fund Recovery Penalty (TFRP) process, the IRS initiated a quality review process that focused in two primary areas. The first being consolidation of all TFRP work to one campus. Consolidation of all SB/SE Automated Trust Fund Recovery (ATFR) work to the Ogden campus was completed in September 2005. All Wage & Investment (W&I) business unit TFRP work was transferred to SB/SE Campuses as of January 2006. The second area IRS undertook was the task of rewriting the ATFR area office user component to provide system flexibility that better replicates the realities of the current trust fund investigation/ proposal process. The enhanced rewrite has been delivered and is in production testing. Training is scheduled to begin in June 2006 with a complete nationwide deployment by the end of fiscal year 2006. IRS continues to monitor the accuracy and effectiveness of the TFRP process and all corrective actions already in place; Per GAO: Open. We recognize automation of the current TFRP program is much needed. However, IRS's efforts to date have not been effective. In fiscal year 2005, we reviewed a statistical sample of 80 TFRP payments made on accounts established since August 2001. We found six instances in which IRS did not properly record the payment to all related taxpayer accounts. We estimate that 7.5 percent of these payments may not be properly recorded. We will continue to review IRS's initiatives to improve posting of TFRP cases and test TFRP cases for proper postings to all related accounts as part of our fiscal year 2006 financial audit. Count: 3; ID. No.: 99-3; Recommendation: Ensure that IRS's modernization blueprint includes developing a subsidiary ledger to accurately and promptly identify, classify, track, and report all IRS unpaid assessments by amount and taxpayer. This subsidiary ledger must also have the capability to distinguish unpaid assessments by category in order to identify those assessments that represent taxes receivable versus compliance assessments and write-offs. In cases involving trust fund recovery penalties, the subsidiary ledger should ensure that (1) the trust fund recovery penalty assessment is appropriately tracked for all taxpayers liable but counted only once for reporting purposes and (2) all payments made are properly credited to the accounts of all individuals assessed for the liability. (short-term); Source report: Internal Revenue Service: Immediate and Long-Term Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct. 30, 1998); Per IRS: Open. The Custodial Accounting Project (CAP) has been canceled due to budget constraints. The IRS chief financial officer (CFO) has developed a TFRP database that can establish the links and identify problems to more accurately report a single balance due for these assessments and determine areas for improvement in the TFRP program. The TFRP database is the first Release of the Financial Management Information System's (FMIS) enhancement to the Custodial Detail Data Base (CDDB) that has been proposed to enable the IRS CFO to address many of the outstanding financial management recommendations. FMIS/CDDB Release 1, TFRP database will be tested and fully implemented in 2006. Further releases of FMIS/CDDB functionality are contingent on future funding levels; Per GAO: Open. We will continue to monitor IRS's development of an alternative strategy for CAP, as well as its implementation of the new FMIS/CDDB. If IRS implements CDDB Release 1 for fiscal year 2006, we will perform tests of these data as part of our fiscal year 2006 audit. Count: 4; ID. No.: 99-17; Recommendation: Ensure that all returned refund checks are stamped "nonnegotiable" as soon as they are extracted. (short-term); Source report: Internal Revenue Service: Physical Security Over Taxpayer Receipts and Data Needs Improvement (GAO/AIMD-99-15, Nov. 30, 1998); Per IRS: Closed. A memorandum is issued to Submission Processing (SP) Field Directors prior to filing season reinforcing the importance of ensuring SP procedures and policies regarding overstamping of returned refund checks are followed. In addition, this requirement is part of the Campus Monthly Security Reviews. All findings are shared with SP Field Directors. Local management continues to remind employees of the importance of overstamping returned refund checks on a regular basis through individual and group meetings to ensure compliance with the Internal Revenue Manual (IRM) and security requirements; Per GAO: Closed. During our fiscal year 2005 audit, we found no instances where returned refund checks were not stamped "nonnegotiable" upon extraction at the four SCCs we visited. Count: 5; ID. No.: 99-19; Recommendation: Ensure that walk-in payment receipts are recorded in a control log prior to depositing the receipts in the locked container and ensure that the control log information is reconciled to receipts prior to submission of the receipts to another unit for payment processing. To ensure proper segregation of duties, an employee not responsible for logging receipts in the control log should perform the reconciliation. (short-term); Source report: Internal Revenue Service: Physical Security Over Taxpayer Receipts and Data Needs Improvement (GAO/AIMD-99-15, Nov. 30, 1998); Per IRS: Open. IRM 21.3.4.7 was updated in October 2005 to require employees to record payments on Form 795, Daily Report of Collection Activities, and to immediately place the payment in a locked container. Field Assistance has implemented in taxpayer assistance centers (TACs) where staffing permits the review of Form 795 and all supporting documents for accuracy (by an employee other than the recipient of the funds) before they are transmitted to the Submission Processing Centers (SPC). The review process for these TACs was included in the IRM on January 20, 2006. Additional procedures were explored to determine a feasible process for mitigating the circumstances that prevent proper segregation of duties in TACs with limited staffing. In exploring procedures in January 2006 for TACs with limited staffing where there is no manager, secretary, or Initial Account Representative, Field Assistance determined proposed procedures to be burdensome, difficult to administer, and not administratively feasible (e.g., copying and faxing Form 795 to the manager). In addition, based on a September 2005 Treasury Inspector General for Tax Administration (TIGTA) report on payments received at TACs, 99 percent of payments posted appropriately to taxpayer accounts. This accuracy rate combined with compensating controls at the SPCs effectively reduces risks associated with not having reconciliation processes in small TACs. Additional emphasis was placed on development of internal controls and the oversight and accountability of both employees and managers within Field Assistance. Specifically,; Per GAO: Open. During our fiscal year 2005 audit, we found a lack of segregation of duties related to the preparation, review, and/or reconciliation of Form 795 at six of the eight TACs we visited. At three of these TACs, at times only one employee was present to carry out the functions of the office. At another TAC, there was no evidence that the Form 795 was reconciled by an employee other than the employee who received the payment from the taxpayer and recorded it on the Form 795. At this same TAC, we observed two instances where employees did not log information onto the Form 795 upon receipt. At the fifth TAC, the employee responsible for receiving and recording payments on the control log did not receive an independent reconciliation of the payments before they were mailed to the SCC for further processing. At the sixth TAC, one employee retrieved all the checks from the locked container and logged all the checks received onto a Form 795 and sent them to the SCC without a supervisor or designee review. The corrective actions cited by IRS were subsequent to our fieldwork at those locations. We will evaluate IRS's corrective actions during our fiscal year 2006 audit. Per IRS: Count6: Field Assistance headquarters began conducting operational reviews on February 28, 2006. The operational reviews include assessing their ability to engage employees in process and program improvement, identifying best practice ideas, ensuring elements of accountability and responsibility are clearly communicated at each level, and assessing conformance to the current policies and procedures; Per GAO: Count6: [Empty]. Count: 6; ID. No.: 99-20; Recommendation: Analyze and determine the factors causing delays in processing and posting TFRP assessments. Once these factors have been determined, IRS should develop procedures to reduce the impact of these factors and to ensure timely posting to all applicable accounts and proper offsetting of refunds against unpaid assessments before issuance. (short-term); Source report: Internal Revenue Service: Custodial Financial Management Weaknesses (GAO/AIMD- 99-193, Aug. 4, 1999); Per IRS: Open. To ensure quality, timeliness, and accuracy of the TFRP process, the IRS initiated a quality review process that focused in two primary areas. The first being consolidation of all TFRP work to one campus. Consolidation of all SB/SE ATFR work to the Ogden campus was completed in September 2005. All W&I business unit TFRP work was transferred to SB/SE Campuses as of January 2006. The second area IRS undertook was the task of rewriting the ATFR area office user component to provide system flexibility that better replicates the realities of the current trust fund investigation/proposal process. The enhanced rewrite has been delivered and is in production testing. Training is scheduled to begin in June 2006 with a complete nationwide deployment by the end of fiscal year 2006. IRS continues to monitor the accuracy and effectiveness of the TFRP process and all corrective actions already in place; Per GAO: Open. We will continue to review IRS's initiatives to improve posting of TFRP cases and monitor trust fund recovery penalty processing timeliness as part of our fiscal year 2006 audit. Count: 7; ID. No.: 99-22; Recommendation: Expand IRS's current review of service center deterrent controls to include similar analyses of controls at IRS field offices in areas such as courier security, safeguarding of receipts in locked containers, requirements for fingerprinting employees, and requirements for promptly over-stamping checks made out to the "IRS" with "Internal Revenue Service" or "United States Treasury." Based on the results, IRS should make appropriate changes to strengthen its physical security controls. (short-term); Source report: Internal Revenue Service: Custodial Financial Management Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); Per IRS: Closed. The guidelines in the Fiscal Year 2003 Operating Procedures for TACs for safeguarding receipts in locked containers and over-stamping checks made payable to IRS were incorporated into the IRM in June 2003. The requirement for over-stamping checks made payable to the IRS has been emphasized. Operational reviews by Field Assistance Headquarters are planned to ensure adherence to safeguarding of receipts and over- stamping requirements. Employees have been instructed to keep all containers locked that contain taxpayer data. Each employee will be provided individual performance feedback regarding any security violations. More frequent security reviews will be conducted that include this and other areas relating to protection of taxpayer data. Additional emphasis will be placed on development of internal controls and the oversight and accountability of both employees and managers within Field Assistance; Per GAO: Open. While IRS has taken steps to address this recommendation, the current response does not entail expansion of IRS's service center security reviews and TAC operational reviews to the non- W&I business units. During our fiscal year 2005 audit, we found several instances where controls over safeguarding taxpayer receipts and information at the SB/SE, the Large and Mid-Size Business (LMSB), and Tax Exempt and Government Entities (TE/GE) field office units were not effective. We will evaluate IRS's corrective actions during our fiscal year 2006 audit. Count: 8; ID. No.: 99-25; Recommendation: Ensure that additional staff are employed or existing staff appropriately cross-trained to be able to perform the master file extractions and other ad hoc procedures needed for IRS to continually develop reliable balances for financial reporting purposes. (short- term); Source report: Internal Revenue Service: Custodial Financial Management Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); Per IRS: Open. The CAP has been stopped due to budget cuts. The IRS has decided to address this recommendation by enhancing the Service's existing FMIS with a new database, the CDDB and the Interim Revenue Accounting Control System (IRACS) used to support the financial audit. The CFO has developed a business case and will pursue opportunities to identify resources within the IRS's Information Technology budget to fund this effort. The need to build an appropriate depth of experience is still an immediate and ongoing issue. The IRS continues to examine its resources to see if work can be realigned, and if existing employees can be retrained. Contractor support is used to provide the support and backup necessary for preparation of the compensating procedures, pending implementation of the CDDB and the Customer Account Data Engine (CADE). IRS is committed to supporting the funding of contractor resources that are used for the financial statement audit. This corrective action will be continually monitored; Per GAO: Open. In fiscal year 2005, IRS continued to augment its own resources with contractor support to produce auditable financial statements. We will continue to assess IRS's actions during our fiscal year 2006 audit. Count: 9; ID. No.: 99-29; Recommendation: Develop the data to support meaningful cost information categories and cost-based performance measures. (long-term); Source report: Internal Revenue Service: Serious Weaknesses Impact Ability to Report on and Manage Operations (GAO/AIMD- 99-196, Aug. 9, 1999); Per IRS: Open. Integrated Financial System (IFS) Release 1, which was implemented on November 10, 2004, includes a cost module that will interface with program area management information systems. Both direct and indirect resource cost data will be linked to the budget process and the strategic planning goals of all business units. This will help move IRS forward in transitioning to a performance-based organization. Full cost accounting will not be realized until future releases, such as Work Management, are implemented. An integrated Work Management module would routinely provide a greater level of detail for costing purposes. However, at present, all future releases are being reevaluated based on funding availability and no future implementation date has been established; Per GAO: Open. We will follow up during future audits to assess IRS's progress in implementing a cost-accounting system and populating it with the cost information needed to support meaningful cost-based performance measures. Count: 10; ID. No.: 99-36; Recommendation: Make enhancements to IRS financial systems to include recording plant and equipment (P&E) and capital leases as assets when purchased and to generate detailed records for P&E that reconcile to the financial records. (long-term); Source report: Internal Revenue Service: Serious Weaknesses Impact Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9, 1999); Per IRS: Open. In IFS Release 1, implemented on November 10, 2004, P&E are being recorded as an asset when purchased. The ability to tie to the detailed physical asset information and a fully integrated system with subsidiary records will not be available until the IFS Asset Management module is implemented. At present, all future releases are being reevaluated based on funding availability and no future implementation date has been established; Per GAO: Open. IRS implemented the first release of the new IFS on November 10, 2004, which allowed recording P&E as assets when purchased. However, implementation of a property asset module that is intended to generate detailed records for P&E that will reconcile to the financial records is being deferred indefinitely due to funding constraints. We will continue to monitor IRS's progress in implementing subsequent IFS releases and the property asset module. Count: 11; ID. No.: 01-04; Recommendation: As an alternative to prematurely suspending active collection efforts, and using the best available information, develop reliable cost-benefit data relating to collection efforts for cases with some collection potential. These cost-benefit data would include the full cost associated with the increased collection activity (i.e., salaries, benefits, and administrative support) as well as the expected additional tax collections generated. (short-term); Source report: Internal Revenue Service: Recommendations to Improve Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Per IRS: Open. Based on initial success with modeling technology, SB/SE has initiated several other projects to build additional decision analytical models to increase our ability to route cases to the appropriate resource. These projects include the addition of external credit scores and other internal data to build more robust models with increased predictive power. These efforts will continue to help IRS ensure that the right resources are devoted to the appropriate cases. IRS has developed a corporate strategy for working collections cases. The Collection Governance Board (consisting of executives from SB/SE and W&I) was established in August 2005 to ensure inventory is balanced and resources are expended appropriately; Per GAO: Open. We will continue to review IRS's initiatives to manage resource allocation levels for its collection efforts. Count: 12; ID. No.: 01-06; Recommendation: Implement procedures to closely monitor the release of tax liens to ensure that they are released within 30 days of the date the related tax liability is fully satisfied. As part of these procedures, IRS should carefully analyze the causes of the delays in releasing tax liens identified by our work and prior work by IRS's former internal audit function and ensure that such procedures effectively address these issues. (short-term); Source report: Internal Revenue Service: Recommendations to Improve Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Per IRS: Open. IRS has redeveloped the prior action plan to incorporate the requirements of the revised OMB Circular No. A-123. The overall action addresses untimely lien releases, including identification of root causes and where they occur organizationally. ; Per GAO: Open. During our fiscal year 2005 audit, we continued to find delays in release of liens. We found 13 instances out of 59 cases tested in which IRS did not release the applicable federal tax lien within the 30-day statutory period. The time between the satisfaction of the liability and release of the lien ranged from 36 days to 233 days. We will assess the impact of IRS's actions and continue to review IRS's release of tax liens as part of our fiscal year 2006 audit. Count: 13; ID. No.: 01-12; Recommendation: For (1) IRS's AUR and Combined Annual Wage Reporting programs, (2) screening and examination of Earned Income Tax Credit claims, and (3) identifying and collecting previously disbursed improper refunds, use the best available information to develop reliable cost-benefit data to estimate the tax revenue collected by, and the amount of improper refunds returned to, IRS for each dollar spent pursuing these outstanding amounts. These data would include (1) an estimate of the full cost incurred by IRS in performing each of these efforts, including the salaries and benefits of all staff involved, as well as any related nonpersonnel costs, such as supplies and utilities and (2) the actual amount (a) collected on tax amounts assessed and (b) recovered on improper refunds disbursed. (long-term); Source report: Internal Revenue Service: Recommendations to Improve Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Per IRS: Open. Allocation methodology was reviewed and enhanced for fiscal year 2006 and further refinements will be implemented each year. The first year's data will be reviewed in fiscal year 2006 and a plan developed for integrating cost data in decision making. The use of the data will be tested in fiscal year 2007 with baseline data. However, to achieve maximum benefit in decision making, several years' data will be needed. As a result, the IRS will fully implement the use of cost accounting data for resource allocation decisions in fiscal year 2008; Per GAO: Open. During our fiscal year 2005 audit, IRS provided information on the AUR program, including program results. Based on our review of the information and discussions with IRS officials, we determined IRS does not use the data to make decisions on the AUR workload. In addition, IRS implemented a cost accounting module during fiscal year 2005. However, management has not yet determined what the full range of its cost information needs are or how best to tailor the capabilities of this module to serve those needs. Also, IRS has not yet implemented a related workload management system intended to provide the cost module with detailed personnel cost information. In addition, as noted by IRS, because it generally takes several years of historical cost information to support meaningful estimates and projections, IRS cannot yet rely on this system as a significant planning tool. We will continue to followup on IRS's progress on this issue during our fiscal year 2006 audit. Count: 14; ID. No.: 01-17; Recommendation: Develop a subsidiary ledger for leasehold improvements and implement procedures to record leasehold improvement costs as they occur. (long-term); Source report: Internal Revenue Service: Recommendations to Improve Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Per IRS: Open. In IFS Release 1, implemented on November 10, 2004, P&E and leasehold improvements are recorded as assets when purchased. However, amortization will remain a manual process. The ability to tie the detailed physical asset information and a fully integrated system with subsidiary records will not be available until the Asset Management module is implemented. At present, all future releases are being reevaluated based on funding availability and no future implementation date has been established; Per GAO: Open. IRS implemented the first release of the new IFS on November 10, 2004, which allowed recording leasehold improvements as assets when purchased. However, implementation of a property asset module that is intended to generate detailed records for P&E that will reconcile to the financial records is being deferred indefinitely due to funding constraints. We will continue to monitor IRS's progress in implementing subsequent IFS releases and the property asset module. Count: 15; ID. No.: 01-18; Recommendation: Implement procedures and controls to ensure that expenditures for P&E are charged to the correct accounting codes to provide reliable records for expenditures as a basis of extracting the costs for major systems and leasehold improvements. (short-term); Source report: Internal Revenue Service: Recommendations to Improve Financial and Operational Management (GAO- 01-42, Nov. 17, 2000); Per IRS: Closed. In IFS Release 1, implemented on November 10, 2004, P&E and leasehold improvements are posted to the correct accounting code at the time of purchase. IRS has improved the definitions of P&E and has provided guidance on appropriate coding classifications to end users. Routine control reviews have been established to ensure the accuracy and appropriate coding of classifications; Per GAO: Closed. IRS implemented the first release of IFS on November 10, 2004, which incorporated procedures to allow IRS to record the majority of P&E additions in the appropriate general ledger accounts as they occur. During our fiscal year 2005 audit, we found that IRS was generally recording P&E transactions as they occurred, although we did identify some new issues. See recommendation ID. No. 06-20. Count: 16; ID. No.: 01-39; Recommendation: Develop a mechanism to track and report the actual costs associated with reimbursable activities. (long-term); Source report: Management Letter: Improvements Needed in IRS's Accounting Procedures and Internal Controls (GAO-01-880R, July 30, 2001); Per IRS: Open. IRS has developed guidance for costing reimbursable agreements, which includes instructions on tracking labor. IFS Release 1, implemented on November 10, 2004, includes a cost module that will interface with program area management information systems. Full cost accounting will not be realized until future releases, such as Work Management, are implemented. Actions will be initiated in fiscal year 2006 or fiscal year 2007 to begin gathering the real cost of certain reimbursable projects. At present, future releases are being evaluated based on funding availability and no future implementation date has been established; Per GAO: Open. We confirmed that IRS has procedures for costing reimbursable agreements that provide the basic framework for the accumulation of both direct and indirect costs at the necessary level of detail. IRS plans to implement these procedures over several years as it phases in various program area management information systems that will provide critical information to its new cost accounting system. However, as indicated by IRS, these systems have not yet been scheduled for implementation. We will continue to monitor IRS's efforts to fully implement its cost accounting system and, once it has been fully implemented, evaluate the effectiveness of IRS procedures for developing cost information for its reimbursable agreements. Count: 17; ID. No.: 02-01; Recommendation: Implement policies and procedures to record capitalizable acquisition costs for P&E, capital leases, leasehold improvements, and major systems in the appropriate P&E general ledger accounts as transactions occur. (long-term); Source report: Internal Revenue Service: Progress Made, but Further Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19, 2001); Per IRS: Closed. In IFS Release 1, implemented on November 10, 2004, property and equipment are recorded as assets when purchased; Per GAO: Closed. IRS implemented the first release of IFS on November 10, 2004, which incorporated procedures to allow IRS to record the majority of P&E additions in the appropriate general ledger accounts as they occur. During our fiscal year 2005 audit, we found that IRS was generally recording P&E transactions as they occurred, although we did identify some new issues. See recommendation ID. No. 06-20. Count: 18; ID. No.: 02-08; Recommendation: Implement policies and procedures to require that all employees itemize on their time cards the time spent on specific projects. (long-term); Source report: Internal Revenue Service: Progress Made, but Further Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19, 2001); Per IRS: Open. IRS agreed with the objective of this recommendation, which is to allow it to collect and report the full payroll costs associated with its activities. While IRS indicated that most of its employees already itemize their time charges in functional tracking systems, it has acknowledged that full implementation of the IFS cost accounting module is required to close this recommendation. IFS Release 1, implemented on November 10, 2004, includes requirements for a cost module that will be interfaced with program area management information systems. Both direct and indirect resource cost data can be linked to the budget process and the strategic planning goals of all business units. This will help move IRS forward in transitioning to a performance-based organization. Full cost accounting will not be realized until future releases, such as Work Management, are implemented. At present, all future releases are being reevaluated based on funding availability and no future implementation date has been established; Per GAO: Open. We confirmed that IRS employees continue to use functional tracking (workload management) systems to itemize and track their time charges. However, this recommendation remains open because its objective is to allow IRS to collect and report the full payroll costs associated with its activities. During our fiscal year 2005 audit, we continued to find that the functional tracking systems are insufficient for this purpose because they do not interface with each other or the general ledger to allow management to use them to readily accumulate the time charged to specific projects. Count: 19; ID. No.: 02-09; Recommendation: Implement policies and procedures to allocate nonpersonnel costs to programs and activities on a routine basis throughout the year. (long-term); Source report: Internal Revenue Service: Progress Made, but Further Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19, 2001); Per IRS: Open. The IFS, Release 1, implemented on November 10, 2004, includes a cost module that is interfaced with program area management information systems. Both direct and indirect resource cost data can be linked to the budget process and the strategic planning goals of all business units. This helps move IRS forward in transitioning to a performance- based organization. Full cost accounting will not be realized until future IFS releases, including Work Management, are implemented; Per GAO: Open. We confirmed that the IRS plans include requirements that meet the objectives of this recommendation; however, IRS has indefinitely delayed the implementation of these requirements. IRS's plans to implement these requirements are expected to be executed over several years as IRS phases in various program area management information systems that will provide critical information to the cost accounting system. We will continue to monitor the progress of IRS's efforts to address this issue. Count: 20; ID. No.: 02-14; Recommendation: Develop policies and procedures to require that IRS and lockbox employees performing final candling record receipts in a control log at the time of discovery, recording at a minimum the total number of payments found, the amount of each payment, and the taxpayer who submitted the payment. (short- term); Source report: Management Report: Improvements Needed in IRS's Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 2002); Per IRS: Closed. The 2005 Lockbox Processing Guidelines (LPG), Documentation of Items Found in Candling (Form 9535), directs the responsible manager to initial Form 9535 every day for each shift. An entry must be made each shift, whether or not items have been found. A manager will initial Form 9535 to validate all of the following: (1) all available information is correctly entered; (2) items found have been reconciled with Form 9535 entries; (3) items have been correctly categorized as processable or unprocessable; (4) all processable work has been cleared after each shift, i.e., the work has been put back into the stream of work; and (5) the received date has been entered correctly. Only Form 9535 will be used for documenting items found during candling. IRM 3.10.72.6.2 provides the following guidance for the campuses: Management shall maintain Form 13592 Candling Log - Receipt and Control (R&C) Discovered Remittances to record remittances found in final candling. An employee designated by management will immediately record these items into the final candling log. In addition, management shall initial the log to validate that all available information is correctly entered and ensure that all remittances listed on the log are brought to the deposit function on a daily basis. The National Office redesigned the Form 13592 candling log that records, at a minimum, the total number of payments found, the amount of each payment, and the taxpayer who submitted the payment; Per GAO: Closed. During our fiscal year 2005 audit, we verified that IRS updated its candling procedures in the LPG and IRM to include the recording of receipts in the control log at the time of discovery. Count: 21; ID. No.: 02-16; Recommendation: Ensure that field office management complies with existing receipt control policies that require a segregation of duties between employees who prepare control logs for walk-in payments and employees who reconcile the control logs to the actual payments. (short- term); Source report: Management Report: Improvements Needed in IRS's Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 2002); Per IRS: Open. Field Assistance has implemented in TACs, where staffing permits, the review of Form 795 and all supporting documents for accuracy by someone other than the recipient of the funds before they are transmitted to the SPCs. Additional procedures are being explored to determine a process for mitigating the circumstances that prevent proper segregation of duties in those TACs with limited staffing. Additional emphasis will be placed on development of internal controls and the oversight and accountability of both employees and managers within Field Assistance; Per GAO: Open. During our fiscal year 2005 audit, we found a lack of segregation of duties related to the preparation, review, and/or reconciliation of Form 795 at six of the eight TACs we visited. At three of these TACs, at times only one employee is present to carry out the functions of the office. At another TAC, there was no evidence that the Form 795 was reconciled by an employee other than the employee who received the payment from the taxpayer and recorded it on the Form 795. At this same TAC, we observed two instances where employees did not log information onto the Form 795 upon receipt. At the fifth TAC, the employee responsible for receiving and recording payments on the control log did not receive an independent reconciliation of the payments before they were mailed to the SCC for further processing. At the sixth TAC, one employee retrieved all the checks from the locked container and logged all the checks received onto a Form 795 and sent them to the SCC without a supervisor or designee review. We will evaluate IRS's corrective actions during our fiscal year 2006 audit. Count: 22; ID. No.: 02-18; Recommendation: Work with the National Finance Center (NFC) to resolve the technical limitations that exist within the Secure Entry and Tracking System (SETS) database and continue to periodically review SETS data to detect and correct errors. (short-term); Source report: Management Report: Improvements Needed in IRS's Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 2002); Per IRS: Closed. In July 2005, NFC demonstrated (first time) a Web version of SETS and more IRS requirements are to be accommodated in that system; a meeting is slated for early 2006 between IRS and NFC. Also, IRS/NFC dialogue continues to ensure that data flows are timely and accurate, reconciliations and error adjustments regularly occur, and monthly NFC reports are reviewed and analyzed by IRS. Agency-Wide Shared Services (AWSS) continues to monitor SETS reports for each pay period and coordinates with employment offices when corrections are needed. IRS and NFC continue to engage on-going discussions on reconciliations and error adjustments as needed. NFC controls the time table for deploying a Web version of SETS; however, no time table has been set and no meetings are being convened; Per GAO: Open. During our fiscal year 2005 audit, we continued to find technical limitations in IRS's SETS database. The corrective actions cited by IRS were subsequent to our fieldwork for the fiscal year 2005 audit. We will evaluate the effectiveness of these actions during our fiscal year 2006 audit. Count: 23; ID. No.: 03-02; Recommendation: Establish and document guidelines and procedures in IRS policy and procedure manuals for implementing the new penalty provision for lockbox banks to reimburse the government for direct costs incurred in correcting errors made by lockbox banks. (short-term); Source report: Lockbox Banks: More Effective Oversight, Stronger Controls, and Further Study of Costs and Benefits Are Needed (GAO-03- 299, Jan. 15, 2003); Per IRS: Closed. IRS and the Financial Management Service (FMS) prepared a reimbursement process. The procedures include the use of a special Lockbox Program code to delineate IRS rework costs as a result of errors made by the lockbox sites. The Lockbox Policy Reimbursement procedures are included in the 2005 LPG under LPG 2.1.9 and 2005 Lockbox Processing Procedures under IRM 3.0.230.9.3; Per GAO: Closed. During our fiscal year 2005 audit, we verified that IRS had incorporated reimbursement procedures in the 2005 LPG. Count: 24; ID. No.: 03-07; Recommendation: Revise the guidance used for compliance reviews so it requires reviewers to (1) determine whether lockbox contractors, such as couriers, have completed and obtained favorable results on IRS fingerprint checks and (2) obtain and review all relevant logs for cash payments and candled items to ensure that all payments are accounted for. (short-term); Source report: Lockbox Banks: More Effective Oversight, Stronger Controls, and Further Study of Costs and Benefits Are Needed (GAO-03- 299, Jan. 15, 2003); Per IRS: Closed. IRS updated the security check sheet in January 2004 to instruct reviewers to determine whether contractors have completed and obtained favorable fingerprint results and to review all relevant logs for cash payments and candling logs. In order to ensure compliance to the LPG requirements, an IRS and FMS task group developed a performance measures process to include a category for security (Courier, Physical, Remittance) that was implemented in October 2005. This process which was piloted in 2005 and implemented in January 2006 uses a data collection instrument (DCI) check sheet that lists by line item the requirements as outlined in the LPG. It is used as a tool to identify varying levels of performance and provide incentives and disincentives based on those levels of performance. This helps the IRS/FMS Security staff ensure compliance with the LPG requirements. Additionally, an internal control review is included in the reviews performed quarterly by the Lockbox coordinators; Per GAO: Closed. During our fiscal year 2005 audit, we verified the lockbox coordinator's on-site review check sheet included the requirement to ensure that the cash and candling logs are being kept and updated daily and that contractors have completed and obtained favorable results on IRS fingerprint checks. Count: 25; ID. No.: 03-08; Recommendation: Assign individuals, other than the lockbox coordinators, responsibility for completing on-site performance reviews. (short-term); Source report: Lockbox Banks: More Effective Oversight, Stronger Controls, and Further Study of Costs and Benefits Are Needed (GAO-03- 299, Jan. 15, 2003); Per IRS: Closed. IRS Lockbox Field Section, IRS Policy & Procedures Section, and FMS are responsible for conducting their own on-site performance reviews during peak season at each Lockbox site. DCIs are used by the IRS Field Coordinators to review Lockbox processing requirements and processing internal controls. DCIs are also used by IRS Policy & Procedures Section in conjunction with IRS Mission Assurance and FMS Security to review courier, physical, and personnel security. FMS and IRS Policy and Procedures Section also use a check sheet to review various processing/security requirements during peak processing. DCI processing reviews are also completed daily at each IRS SPC by SPC staff after the work is received from the lockbox. The on- site DCI processing and security reviews and the SPC reviews are incorporated into the Bank Performance Standards scorecards. The scorecards are signed by both IRS and FMS management prior to being issued to each Lockbox site under an FMS cover letter. In addition, peak trip reports are completed jointly by the IRS and FMS personnel on site. These trip reports assess the banks performance by categories such as deliverables, FMS cash management cash flow, mail, processing, remittance security, and staffing. This report is used to capture any observations that may or may not have been covered on the various DCIs. The combination of these reviews serves as the checks and balances of the program. While the Field Coordinators remain responsible for the on- site processing review, these reviews constitute only a portion of the overall assessment of each lockbox site; Per GAO: Closed. We issued this recommendation in January 2003 when the lockbox coordinators were the only individuals responsible for conducting the performance reviews and at that time these reviews were not being performed because of competing demands. Over the years, IRS and FMS have increased their oversight of the lockbox bank program with various performance and compliance reviews. These reviews include peak season trip reports and annual security reviews conducted jointly by IRS and FMS staff. In addition, IRS has implemented a scorecard system performed, reviewed, and signed by both IRS and FMS that incorporates the results of the reviews. These procedures collectively satisfy the objective of this recommendation. Count: 26; ID. No.: 03-10; Recommendation: Require lockbox management to ensure that guards are responsive to alarms and that IRS take steps to monitor adherence to this requirement. (short-term); Source report: Lockbox Banks: More Effective Oversight, Stronger Controls, and Further Study of Costs and Benefits Are Needed (GAO-03- 299, Jan. 15, 2003); Per IRS: Closed. To provide more emphasis on security, the Lockbox Security Guidelines (LSG) is no longer included in the LPG. Beginning in 2006 LSG is a separate document. LSG 2.2.2.4(7) requires that "Bank management is ultimately responsible for access control and procedures for ensuring only authorized personnel are granted access to the processing floor. Bank management must be involved in the day to day access control process. This responsibility cannot be delegated (e.g., to temporary agency personnel, security guards, third parties)." LSG 2.2.3.1 (7) provides the requirements for guards to respond to alarms. The Security Team performs alarm testing and evaluates guards' responses to alarms during their on-site security reviews. Security Performance Measures (effective January 2006) were developed to measure and rate each site's overall adherence to security guidelines and provides incentives/disincentives accordingly. Mission Assurance and FMS Security staff supports the Lockbox Policy and Procedures Program Office in conducting security reviews. Reviews rate each site's compliance to physical, personnel, courier, and information technology (IT) security; Per GAO: Closed. We verified that the LSG requires lockbox bank management to ensure that guards are responsive to alarms. Additionally, we verified that Security Performance Measures are in place to measure and rate each lockbox bank's overall adherence to security guidelines. Count: 27; ID. No.: 03-15; Recommendation: Require lockbox management to ensure that envelopes are properly candled and that IRS take steps to monitor adherence to this requirement. (short-term); Source report: Lockbox Banks: More Effective Oversight, Stronger Controls, and Further Study of Costs and Benefits Are Needed (GAO-03- 299, Jan. 15, 2003); Per IRS: Closed. Effective October 2005, candling reviews are conducted at all Lockbox sites to ensure that all candling requirements are being met. These internal control reviews ensure that envelopes opened (manually or by OPEX) on three or more sides are candled once and that envelopes other than the ones opened on three or more sides are candled twice. The results of these reviews are used to calculate each bank's score in the new bank performance measurement process. The Processing- Internal Controls (PIC) DCI that included the new candling review was first performed by Lockbox Field Coordinators at Individual Master File (IMF) lockbox sites during on-site reviews in October 2005 and at Business Master File (BMF) sites in November 2005. This element is now part of the Lockbox Performance Scorecard Measures; Per GAO: Open. During our fiscal year 2005 audit, we found instances at one lockbox bank where employees did not properly candle envelopes. However, the candling reviews planned by IRS were implemented subsequent to the completion of our fiscal year 2005 fieldwork. We will evaluate the effectiveness of these reviews during our fiscal year 2006 audit. Count: 28; ID. No.: 03-17; Recommendation: Require lockbox management to ensure that returned refund checks are restrictively endorsed immediately upon extraction and that IRS take steps to monitor adherence to this requirement. (short-term); Source report: Lockbox Banks: More Effective Oversight, Stronger Controls, and Further Study of Costs and Benefits Are Needed (GAO-03- 299, Jan. 15, 2003); Per IRS: Closed. The requirement to ensure that returned refund checks are restrictively endorsed immediately upon extraction was previously listed in Section 3.2.1 of the 2002 LPG issued January 1, 2002, as well as the 2003 (revised April 8, 2003) and 2004 LPG, issued December 1, 2003. During the on-site security reviews, IRS and FMS security teams reviewed adherence to this requirement. Additionally, adherence to this requirement is evaluated during the daily SPC quality reviews; Per GAO: Closed. During our fiscal year 2005 audit, we did not identify any instances where returned refund checks at the lockbox banks were not restrictively endorsed upon extraction. Count: 29; ID. No.: 03-29; Recommendation: Confirm with FMS that IRS's requirements for background and fingerprint checks for courier services are met regardless of whether IRS or FMS negotiates the service agreement. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-03-562R, May 20, 2003); Per IRS: Closed. On October 7, 2002, FMS issued an amendment to the Courier Memorandum of Understanding (MOU), which included the requirement that all courier employees satisfy the basic investigation, including a Federal Bureau of Investigation fingerprint and name check. All 10 IRS campuses now have a contact responsible for submitting paperwork to the National Background Investigations Center (NBIC) and ensuring courier employees are granted clearance. On April 10, 2003, IRS requested that NBIC provide a monthly status report of the campus compliance to the W&I. The 2004 LPG (issued December 1, 2003) includes guidelines for background investigations under Personnel Security in Section 4.2; all parties are adhering to these requirements. Compliance to the new requirement will be reviewed during campus security reviews and/or lockbox security reviews, and couriers are now required to have mid- level investigations completed by NBIC prior to working for IRS and/or a lockbox. A teleconference was held in September 2005 with FMS, the Federal Reserve Banks (FRB), Treasury's General Account (TGA) Banks, and Campuses. Continuing professional education (CPE) was conducted with the Campus Deposit Managers, January 31 through February 1, 2006 to strengthen relationships with FMS and servicing depositories at national and local levels; also to foster understanding of IRS courier requirements and provide guidance to the deposit managers. An IRS/FMS teleconference was held with FRB officials and local; Per GAO: Open. IRS's IRM and lockbox bank policies require that all courier employees satisfy requirements for background and fingerprint checks regardless of who negotiated the courier service agreement. However, when we updated our review of courier contracts in March 2006, we again found that one FMS-negotiated contract did not contain IRS's requirements for background and fingerprint checks for courier services. We will continue to evaluate the compliance of the 2006 courier agreements during our fiscal year 2006 audit. Per IRS: Count30: depositories. Courier policies and procedures were reinforced in IRM 3.8.45 with FRB and TGA bank offices and campus deposit managers. The NBIC program manager participated in this session; Per GAO: Count30: [Empty]. Count: 30; ID. No.: 03-32; Recommendation: Prohibit the storage of employees' personal belongings with cash payments and receipts at IRS's taxpayer assistance centers. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-03-562R, May 20, 2003); Per IRS: Closed. In 2005, remittance training covering the procedures for remittance processing was conducted for all TAC managers. The requirement prohibiting storing personal belongings with taxpayer data was reiterated. Operational reviews are planned by Field Assistance Headquarters to ensure TACs adhere to required IRM procedures. Additional emphasis will be placed on development of internal controls and the oversight and accountability of both employees and managers within Field Assistance; Per GAO: Open. During our fiscal year 2005 audit, we identified an instance at one TAC where an employee's personal belongings were stored with taxpayer receipts. In addition, IRS's response does not specifically address the prohibition of taxpayer payments (cash and non- cash) with employees' personal belongings as stated in our recommendation. We will continue to evaluate IRS's corrective actions during our fiscal year 2006 audit. Count: 31; ID. No.: 03-33; Recommendation: Revise its candling procedures to specify the precise candling methods to be used based on the dimensions of the mail processed and the extraction method used for both the first and the final candling. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 03-562R, May 20, 2003); Per IRS: Closed. Additional guidance was issued to Submission Processing field employees on February 28, 2005, reinforcing the importance of ensuring Submission Processing candling procedures and policies are followed. IRM 3.10.72 has been revised to specify precise candling methods, as well as specific illumination measures of light. In addition, new requirements were implemented to turn large envelopes that cannot be easily opened on all three sides, inside out. This requirement is part of the campus monthly security reviews. All findings are shared with SP field directors. Local management continues to remind employees of the importance of candling of envelopes on a regular basis through individual and group meetings to ensure compliance with this requirement; Per GAO: Closed. We verified that the IRM has been updated to provide specific instructions regarding the candling processes for different types of mail processed by service center campuses. Count: 32; ID. No.: 03-34; Recommendation: Establish and implement procedures prohibiting a single employee from performing the final candling in a remote location. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-03-562R, May 20, 2003); Per IRS: Closed. IRM 3.10.72 has procedures prohibiting a single employee from performing the final candling in a remote location. This requirement is part of the campus monthly security reviews. All findings are shared with SP field directors. Local management continues to remind employees of candling requirements through individual and group meetings to ensure compliance with this requirement; Per GAO: Closed. We verified that IRS had established and implemented procedures prohibiting a single employee from performing final candling in a remote location. In addition, we did not identify any instances in which final candling were performed by only one individual. Count: 33; ID. No.: 03-40; Recommendation: Communicate in writing any potential changes in IRS's certification process to other Treasury entities that use the certification information, and obtain concurrence from these entities prior to implementing such changes. (short-term); Source report: Management Report: Improvements Needed in Controls over IRS's Excise Tax Certification Process (GAO-03-687R, July 23, 2003); Per IRS: Closed. An MOU was signed December 15, 2004, by the Chairman, Excise Tax Trust Fund Working Group. The IRS Treasury Excise Tax Trust Fund Working Group MOU established a process of recording minutes of the Working Group meetings in order to document issues related to trust fund certification procedures/ processes and proposed or passed legislative changes impacting trust fund investments. Recording of minutes will be taken by a representative of Treasury member offices or bureaus on a rotating basis. Draft minutes will be shared with all participants for concurrence prior to final approval and distribution. IRS will discuss and make a presentation to advise the members of any changes to the trust fund certification process; Per GAO: Closed. We verified that the Treasury Excise Tax Trust Fund Working Group signed a resolution to establish a process for documenting issues related to IRS's trust fund certifications. Our review shows the Treasury Excise Tax Working Group has established a process of recording and distributing minutes of the Working Group meetings in order to document issues related to trust fund certification procedures/ processes including procedural or legislative changes impacting trust fund investments. Count: 34; ID. No.: 04-01; Recommendation: Require lockbox bank managers to maintain appropriate documentation on-site demonstrating that satisfactory fingerprint results have been received before contractors are granted access to taxpayer receipts and data. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004); Per IRS: Closed. To provide more emphasis on security, LSG (2.5) requires appropriate documentation for couriers and guards before they are granted access to taxpayer receipts. To ensure compliance with the LSG, IRS/FMS Security has included this as a review item during their security reviews; Per GAO: Closed. We verified that the LSG does include a requirement that lockbox managers maintain documentation on- site demonstrating that satisfactory fingerprint results have been received before contractors are granted access to taxpayer receipts and data. During our fiscal year 2005 audit, we did not identify any instances in which contractors were granted access to taxpayer receipts and data without having satisfactory fingerprint results on file at the lockbox banks that we visited. Count: 35; ID. No.: 04-02; Recommendation: Revise its policy on two- person courier teams to prohibit the use of courier teams consisting of closely related individuals to further minimize the risk of collusion in the theft of taxpayer receipts and data. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004); Per IRS: Closed. On February 14, 2005, the 2005 LPG was updated and reinforced current courier requirements with an addendum entitled "Courier's Additional Disclosure Statement." Each courier is required to complete and sign the disclosure, affirming that they are not to travel with an immediate family member. In addition, each courier is required to list the name and relationship of each family member residing in the same domicile that also performs courier duties for the IRS. The disclosure statement is updated annually and maintained in the personnel file. Starting in July 2005, during the onsite reviews, the IRS/FMS Security Team began reviewing the disclosure statements to ensure adherence to this requirement; Per GAO: Closed. We confirmed that IRS updated its policy on two-person courier teams for lockbox banks as reflected in the revised LPG. Additionally, we identified no instances in which two-person courier teams consisted of closely related individuals during our fiscal year 2005 testing at the four lockbox banks and four service center campuses that we visited. Count: 36; ID. No.: 04-03; Recommendation: Develop procedures to require lockbox managers to provide satisfactory evidence that managerial reviews are performed in accordance with established guidelines. At a minimum, reviewers should sign and date the reviewed documents and provide any comments that may be appropriate in the event their reviews identified problems or raised questions. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004); Per IRS: Closed. Effective October 1, 2005, IRS established a new DCI review entitled "Processing-Internal Controls." During on-site reviews, the following logs are required to be reviewed: desk and work area, date stamp, cash, candling, shred, and mail. The results of these DCI reviews are rolled into a calculation to determine each bank's score in the new bank performance measurement process. In addition, lockbox personnel are required to perform reviews of the desk and work area, cash, candling, and shred logs. A monthly report for each review must be sent to the Lockbox Field Coordinator on the fifth business day of the month following the review. The report must contain the following: date of review, shifts reviewed, results of the review (even when no items are found), and reviewer's and site manager's initials and/or signature as required by the LPG. To further strengthen this internal control, effective June 1, 2006, additional review of the monthly reports (F9535/Discovered Remittance, candling log, disk checks/audits, and shred) received from the lockbox site will be performed by the Lockbox Field Coordinators. Specific check points will be added to the "Monthly Reports" DCI that is a part of the Procedural DCI performed at the SPC. In addition to confirming the receipt and timeliness of the reports, coordinators will review the reports to ensure they are completed per the LPG requirements and that all required management signatures/initials are present to provide satisfactory evidence that the managerial reviews are performed; Per GAO: Open. During our fiscal year 2005 audit, we verified that the LPG and LSG instruct the lockbox bank managers to perform numerous managerial reviews and to provide evidence that the reviews were performed. However, at two of the four lockbox banks we visited, we found that satisfactory evidence was not always provided to validate that these reviews were performed in accordance with established guidelines. In addition, IRS's corrective actions addressing documentation of required reviews occurred subsequent to our fiscal year 2005 fieldwork. We will evaluate IRS's corrective actions during our fiscal year 2006 audit. Count: 37; ID. No.: 04-04; Recommendation: Revise candling procedures at lockbox banks to require testing of automated candling machines at appropriate intervals, taking into account factors such as use time, volume processed, machine requirements and shift cycles. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004); Per IRS: Closed. Lockbox Policy and Procedures staff assessed the candling procedures and determined that current technologies are not exempt from the candling requirement and added to the 2005 LPG section 3.2.8(1) that envelopes opened (either manually or by OPEX equipment) on three or more sides must be candled once on the candling tables. Thus, the requirement to keep tests and logs is not necessary. All other envelopes must be candled twice on the candling tables; Per GAO: Closed. During our fiscal year 2005 audit, we verified that the LPG requires that envelopes opened (either manually or by OPEX equipment) on three or more sides must be candled one additional time on the candling table. This change and IRS's assessment that current technologies are not exempt from the two candling requirement satisfies the objective of our recommendation. Count: 38; ID. No.: 04-05; Recommendation: Require lockbox managers to maintain a log of these tests and to periodically review their logs. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004); Per IRS: Closed. Lockbox Policy and Procedures staff assessed the candling procedures and determined that current technologies are not exempt from the candling requirement and added to the 2005 LPG section 3.2.8(1) that envelopes opened (either manually or by OPEX equipment) on three or more sides must be candled once on the candling tables. Thus, the requirement to keep tests and logs is not necessary. All other envelopes must be candled twice on the candling tables; Per GAO: Closed. During our fiscal year 2005 audit, we verified that the LPG requires that envelopes opened (either manually or by OPEX equipment) on three or more sides must be candled one additional time on the candling table. This change and IRS's assessment that current technologies are not exempt from the two candling requirement satisfies the objective of our recommendation. Count: 39; ID. No.: 04-07; Recommendation: Develop procedures to enhance adherence to existing instructions on safeguarding discovered remittances at SCCs. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004); Per IRS: Closed. In 2003, IRM 3.8.46, Discovered Remittances, was issued and 10,000 copies were distributed to all campuses. Form 4287 (Record of Discovered Remittances) was revised to enhance adherence to existing instructions by including a check box for managers to indicate the reconciliation was performed. Additionally, Submission Processing revised the monthly security checklist to include a review of the discovered remittance procedures. A Discovered Remittances Job Aid was added to IRM 3.8.46 on January 26, 2005 via the SP Web site. The job aid and a PowerPoint presentation were added to the SP Web site again in August 2005; Per GAO: Open. We verified that the IRM contains a discovered remittances job aid to be used for recording discovered remittances. However, during our fiscal year 2005 audit we found that two of the four SCCs we visited did not adhere to the IRM procedures for securing discovered remittances. We will evaluate IRS's corrective actions during our fiscal year 2006 audit. Count: 40; ID. No.: 04-08; Recommendation: Enforce its policies and procedures to ensure that SCC security guards respond to alarms. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004); Per IRS: Open. Mission Assurance revised policies and procedures in IRM 1.16.12, to require the following: (1) self- assessments which test response capabilities of guards to alarms. Mission Assurance implemented a self-assessment tool in October 2004 which is used to test response capabilities relating to alarm activation; (2) monthly, unannounced alarm tests at all campuses and computing centers; (3) mandatory reporting of the monthly alarm test results to the office of Physical Security and Emergency Preparedness (PSEP); (4) review of the monthly test results by the PSEP office, ensuring that the results are in compliance with IRM requirements, and if not, providing feedback for improvements; and (5) annual security exercises at each facility to test alarm responses; Per GAO: Open. During our fiscal year 2005 audit, we continued to find weaknesses in IRS's enforcement of policies and procedures to ensure that SCC security guards respond to alarms. We identified instances at two of four SCCs visited during our fiscal year 2005 audit in which guards either did not respond or did not respond timely to our tests of door alarms. IRS's implementation of new procedures to address guard response issues occurred subsequent to the end of our fiscal year 2005 audit fieldwork. We will evaluate IRS's corrective actions during our fiscal year 2006 audit. Count: 41; ID. No.: 04-09; Recommendation: Establish compensating controls in the event that automated security systems malfunction, such as notifying guards and managers of the malfunction, and immediately deploying guards to better protect the processing center's perimeter. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004); Per IRS: Closed. Mission Assurance developed alarm testing procedures which are used to supplement the requirements in IRM 1.16.12. The IRM and supplemental procedures require the notification of local management whenever there is a malfunction of alarms. The procedures also require that guards are deployed or doors are secured, as necessary, either during tests or when otherwise identified. The contract guard force project manager is required to sign off on all unannounced alarm test reports. Test results are maintained by the PSEP office; Per GAO: Open. IRS indicates in its response that compensating controls have been developed and implemented in the event that automated security systems malfunction. However, from our review of the IRM and the compensating controls used in conjunction with the IRM, we did not identify any procedures outlining specific controls to be employed should automated security systems malfunction or be taken out of service for any period of time. We will evaluate IRS's corrective actions during our fiscal year 2006 audit. Count: 42; ID. No.: 04-15; Recommendation: Until the Business Performance Management System (BPMS) is fully operational, implement procedures to ensure that all performance data reported in the MSP report are subject to effective, documented reviews to provide reasonable assurance that the data are current at interim periods. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004); Per IRS: Closed. IRS has taken steps to ensure that the performance measures data reported in the monthly report are properly reviewed before being published. All divisions now submit most of their performance measures data directly to BPMS. The divisions are required to verify/certify the accuracy of the data before uploading to BPMS. Corporate Performance Budgeting staff implemented additional manual quality control procedures that include reviewing all tables, charts, and line graphs and visually inspecting the numbers and comparing the information to the previous month's report for consistency. In addition, IRS is working with Treasury to streamline its current set of performance measures. Its purpose is to increase the value of the information provided to stakeholders, focus priorities, and reduce administrative burden; Per GAO: Open. In fiscal year 2005, we continued to find errors in IRS's interim performance measures data at interim periods. GAO will continue to monitor IRS's progress in this area during our fiscal year 2006 financial audit. Count: 43; ID. No.: 05-01; Recommendation: Expedite efforts to resolve the backlog of unpostable liens, releasing liens as appropriate. (short-term); Source report: Opportunities to Improve Timeliness of IRS Lien Releases (GAO-05-26R, Jan. 10, 2005); Per IRS: Closed. IRS conducted a review of the unpostable accounts during the period, October 31, 2005, to November 4, 2005. The remaining 1,500 accounts were resolved by May 31, 2005. Inventories are current and being resolved in a timely manner; Per GAO: Closed. We verified that IRS had resolved the backlog of unpostable liens. IRS's Centralized Case Processing/ Lien Processing Unit at the Cincinnati Campus is researching and resolving unpostable liens weekly. We reviewed IRS's report of unpostable liens from February and March 2006 and determined there was no current backlog. Count: 44; ID. No.: 05-02; Recommendation: Keep current on all new unpostable liens. (short-term); Source report: Opportunities to Improve Timeliness of IRS Lien Releases (GAO-05-26R, Jan. 10, 2005); Per IRS: Closed. IRS has been resolving new unpostables within 5 days since June 2004. IRS conducted a review of the unpostable accounts during the period, October 31, 2005, to November 4, 2005, which verified inventories are current and being resolved in a timely manner; Per GAO: Closed. Although IRS has not formally documented procedures in the IRM for weekly resolution of unpostable liens, IRS officials of the Centralized Case Processing / Lien Processing Unit told us that they research and resolve unpostable liens weekly. We reviewed six weekly reports of unpostable liens from February through March 2006 and determined that IRS was keeping current on new unpostable liens. Count: 45; ID. No.: 05-03; Recommendation: Research and resolve the current backlog of unresolved unmatched exception reports. (short- term); Source report: Opportunities to Improve Timeliness of IRS Lien Releases (GAO-05-26R, Jan. 10, 2005); Per IRS: Open. Managers and employees have received training on the entity portion of the Satisfied Module (SATMOD) Reject Report. Resolution of the backlog will be conducted by the centralized site. Anticipated time for resolution is being extended to May 2006 in order to complete a workshop, compile the extract from the master file, and establish a specific group of employees to work on the backlog; Per GAO: Open. We will review the status of IRS's corrective actions as part of our fiscal year 2006 audit. Count: 46; ID. No.: 05-04; Recommendation: Research and resolve unmatched exception reports weekly. (short-term); Source report: Opportunities to Improve Timeliness of IRS Lien Releases (GAO-05-26R, Jan. 10, 2005); Per IRS: Open. IRS developed new procedures for working on the unmatched exception reports. Accounts on the unmatched exception report will be resolved by matching information between the master file and the Automated Lien System (ALS). Timely report resolution is an integral function of the Centralized Lien Unit, and time frames and managerial oversight are built into report resolution processes. Managers and employees have received training on the entity portion of the reject report. Training will be ongoing as new employees are assigned to the unit. IRM provisions require resolution of rejected accounts within 5 business days. Managers will monitor timeliness and will report weekly on the outstanding inventory. SB/SE has started working on the cumulative listings; however, additional time is needed to complete the listings. Collection Policy will conduct an onsite review in fiscal year 2006; Per GAO: Open. According to IRS officials we contacted in March 2006, IRS anticipates completing this review in June 2006. We will continue to review the results of IRS's quality review as part of our fiscal year 2006 audit. Count: 47; ID. No.: 05-05; Recommendation: Provide training to designated staff on how to resolve exception reports. (short-term); Source report: Opportunities to Improve Timeliness of IRS Lien Releases (GAO-05-26R, Jan. 10, 2005); Per IRS: Closed. Managers and employees have received training on the resolution of the restricted interest portion of the SATMOD reject report. IRS conducted a review during the period October 31, 2005, to November 4, 2005. All current employees have received training. Procedural changes are not required; Per GAO: Closed. We verified that IRS had provided training to designated staff on resolving exception reports. Count: 48; ID. No.: 05-06; Recommendation: Research and resolve the current backlog of unresolved manual interest or penalties reports. (short-term); Source report: Opportunities to Improve Timeliness of IRS Lien Releases (GAO-05-26R, Jan. 10, 2005); Per IRS: Open. Managers and employees have received training on the resolution of the manual computation portion of the reject report. IRM provisions require resolution of the rejected accounts within 5 business days. Managers will monitor timeliness and will report weekly on the outstanding inventory. The Collection Policy unit will conduct an on-site review. Training will be given to all new employees as they are assigned to the group. The revised anticipated completion date is May 2006; Per GAO: Open. According to IRS officials we contacted in March 2006, IRS anticipates completing this action in May 2006. We will continue to monitor IRS's efforts to address its backlog of exception reports containing liens with manually calculated interest or penalties as part of our fiscal year 2006 audit. Count: 49; ID. No.: 05-07; Recommendation: Research and resolve exception reports containing liens with manually calculated interest or penalties weekly, as called for in the IRM and the ALS User Guide. (short-term); Source report: Opportunities to Improve Timeliness of IRS Lien Releases (GAO-05-26R, Jan. 10, 2005); Per IRS: Closed. ALS receives a master file data extract listing modules where liabilities have been fully paid. The data extract that is matched against information in the ALS automatically releases liens when there is a match. In the case of modules with restricted interest or penalty, the module is placed on a report for manual processing. In our review of 300 satisfied modules, we identified five cases with additional restricted interest or penalties. The remaining amounts due after computation were for very small amounts, less than $10. Based on those reviews, we ascertained that these cases should receive systemic release based on the status 12 information provided by master file and verified by our review. Copies of the last four weekly extract transmittals in March were reviewed to verify that there were no restricted interest and penalty entries on the listing--confirming that these cases have been systemically released; Per GAO: Open. According to IRS, an internal study determined that the dollar amounts of additional interest and penalties to be assessed on cases with liens requiring manual calculations was not significant. Consequently, IRS is in the process of revising the IRM to no longer require the additional manual computation and assessment of interest and penalties on such cases. In addition, IRS updated its computer programs to automatically release liens once the current account balance had been satisfied. IRS's actions are based on its determination that the additional interest and penalty amounts are not significant. We will review the results of IRS's internal analysis during our fiscal year 2006 audit. Count: 50; ID. No.: 05-08; Recommendation: Provide training to designated staff on how to resolve exception reports containing accounts with manually calculated interest or penalties. (short-term); Source report: Opportunities to Improve Timeliness of IRS Lien Releases (GAO-05-26R, Jan. 10, 2005); Per IRS: Closed. IRS conducted workshops and provided training to employees of the Centralized Case Processing Lien Teams. IRS conducted an onsite review during the period, October 31, 2005, to November 4, 2005. Procedural changes are not required; Per GAO: Closed. IRS created a special unit within the Centralized Case Processing Lien Processing Unit at the Cincinnati Campus to resolve accounts containing restricted interest and penalties. We verified that IRS had provided training to staff in this unit for resolving exception reports containing accounts with manually calculated interest and penalties. Unit staff we interviewed understood these procedures. Count: 51; ID. No.: 05-09; Recommendation: Improve the current unmatched exception report by including a cumulative list of all unmatched taxpayer accounts that have not been resolved to date. (short-term); Source report: Opportunities to Improve Timeliness of IRS Lien Releases (GAO-05-26R, Jan. 10, 2005); Per IRS: Open. Requests for additional enhancements to cumulate the reject report have been initiated. In the interim, area managers are required to print and resolve reports based on IRM procedures. Anticipated date of completion is January 2007; Per GAO: Open. We will review IRS's corrective actions during future audits. Count: 52; ID. No.: 05-10; Recommendation: Revise the Accounts Management Mail Unit procedures, scheduled to be incorporated into the IRM, to include detailed instructions for (1) monitoring transshipped documents and (2) handling cash receipts found during extraction. Where adequate guidance exists elsewhere, IRS should include these through cross-references. (short- term); Source report: Management Report: Review of Controls over Safeguarding Taxpayer Receipts and Information at the Brookhaven Service Center Campus (GAO-05-319R, Mar. 10, 2005); Per IRS: Closed. IRM 3.10.72.12 and 3.10.203 were updated to include detailed procedures for mail operations where Submission Processing no longer has a presence. These instructions include monitoring transshipped documents, safeguarding taxpayer receipts and information, precise candling, and security requirements. The IRM also contains a cross-reference to the handling of cash receipts; Per GAO: Closed. During our fiscal year 2005 audit, we verified that IRS updated the IRM to include detailed procedures and cross- references, where applicable, for mail operations for SCCs selected for significant reductions in their submission processing functions. Count: 53; ID. No.: 05-11; Recommendation: Enforce adherence to existing instructions on safeguarding taxpayer receipts and information, such as securing access and candling procedures, at SCCs selected for significant reductions in their submission processing functions. (short-term); Source report: Management Report: Review of Controls over Safeguarding Taxpayer Receipts and Information at the Brookhaven Service Center Campus (GAO-05-319R, Mar. 10, 2005); Per IRS: Closed. IRS has enforced adherence to existing instructions on safeguarding taxpayer receipts and information by including this requirement in the monthly Campus Security Reviews. It is also reviewed annually by the National Office Security Review Team at selected sites. Local Management continually reinforces these requirements through employee counseling and individual and group meetings with security clerks to ensure procedures for issuance of badges, inventory of badges, and security of taxpayer receipts and information. Meetings have also been held to discuss candling procedures. Local management also conducts weekly and monthly reviews to ensure adherence to these procedures; Per GAO: Open. IRS's corrective actions addressing enforcing adherence to instructions on safeguarding receipts and information occurred subsequent to our fiscal year 2005 fieldwork and will continue as future SCCs are selected for significant reductions in their submission processing functions. We will continue to evaluate IRS's corrective actions during our fiscal year 2006 audit. Count: 54; ID. No.: 05-12; Recommendation: Document a methodology for estimating anticipated rapid changes in mail volume at future SCCs selected for significant reductions in their submission processing functions, taking into consideration factors such as the prior rampdown experience at Brookhaven. (short-term); Source report: Management Report: Review of Controls over Safeguarding Taxpayer Receipts and Information at the Brookhaven Service Center Campus (GAO-05-319R, Mar. 10, 2005); Per IRS: Open. IRS will use historical data obtained from the Brookhaven Campus rampdown, and any other prior consolidations, to develop and document a methodology for estimating future mail volumes. This methodology will be used in future consolidations to ensure that IRS has reliable data to effectively manage resources during and after the consolidation period; Per GAO: Open. We will evaluate IRS's efforts to develop and document a methodology for estimating mail volume for future sites selected for rampdown. Count: 55; ID. No.: 05-13; Recommendation: Enforce its existing requirement that appropriate background investigations be completed for contractors before they are granted staff-like access to service centers. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. IRS has implemented steps to monitor and enforce the requirements issued on September 29, 2003, on the issuance of ID cards to contractors. This guidance requires that a letter from the NBIC indicating successful completion of at least an interim background investigation be received by the issuing office before a contractor can be approved for staff-like access to IRS. The guidance further stipulates that Physical Security staff would, at least every 6 months, ensure that a re-certification had been received from the contracting officer's technical representative (COTR) confirming the contractors' need for continued staff-like access to the IRS facility. Additionally, as part of the required records and accountability process, non-federal photo ID cards are audited annually by the issuing office to reconcile numerical and alphabetical files and ensure that ID cards have been recovered upon separation or termination of the contract; Per GAO: Open. IRS indicated that steps were taken in September 2003 to monitor and enforce the requirement that appropriate background investigations be completed for contractors before they are granted staff-like access to service centers. However, our recommendation was based on findings from our fiscal year 2004 audit, which occurred subsequent to the issuance of IRS's guidance. As such, IRS's actions are not sufficient to address the objective of this recommendation. We will continue to evaluate IRS's enforcement, oversight, and implementation of contractor background investigation policies during our fiscal year 2006 audit. Count: 56; ID. No.: 05-14; Recommendation: Require that background investigation results for contractors (or evidence thereof) be on file where necessary, including at contractor worksites and security offices responsible for controlling access to sites containing taxpayer receipts and information. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. A Mission Assurance policy memorandum dated September 29, 2003, requires the COTRs to complete and submit a request form for every contract employee. Implementation of the standardized form assures that all required information is provided in order for the contractor to receive its IRS photo ID card. The guidance requires a copy of the letter from NBIC indicating successful completion of at least an interim background investigation be attached to the request form or no ID card will be issued. Both documents are maintained by the issuing office; Per GAO: Open. IRS's policies and procedures do not require that documentation of the results of background checks for contractors be maintained onsite at SCCs where contractors are allowed access to sites containing taxpayer receipts and information. During our fiscal year 2005 audit, we found that one SCC did not always maintain this information onsite. Count: 57; ID. No.: 05-15; Recommendation: Require that courier contracts call for couriers to submit contingency plans to lockbox banks. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. IRS updated LPG 4.2.3.1, Courier Contingency Plan, on January 1, 2005, to require that prior to implementation of the contract, the courier service must provide the lockbox with a disaster contingency plan. The contingency plan must cover labor disputes, employee strikes, inclement weather, natural disasters, traffic accidents, and unforeseen events; Per GAO: Closed. During our fiscal year 2005 audit, we verified that IRS updated the LPG to require that courier service contractors must provide the lockbox bank with a disaster contingency plan. Count: 58; ID. No.: 05-16; Recommendation: Review lockbox bank courier contingency plans to help ensure that they incorporate all contingencies specified in the LPG. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 05-247R, Apr. 27, 2005); Per IRS: Closed. Contingency plans were provided by all lockbox sites by March 31, 2005, and were part of the Filing Season Readiness (FSR) Plan. LPG 4.2.3.1 states "the contingency plan must cover labor disputes, employee strikes, inclement weather, natural disasters, traffic accidents, and unforeseen events." The lockbox coordinators reviewed the contingency plans to ensure that these issues were addressed. The lockbox coordinators interpreted the contingency plans to be complete; for example, the coordinators may have viewed contingencies covering natural disasters as sufficient to address inclement weather even though the term "inclement weather" was not specifically stated in the plan. GAO disagreed, citing continued areas of deficiencies. In September 2005, the FMS/IRS Security Team conducted an additional review of each site's courier contingency plans to ensure compliance. Their review indicated that in order to increase consistency and ensure the plans are clearly documented, strengthening of the contingency plan requirements was necessary. The 2006 LSG 2.7 (1) and (2) includes clarification of the requirements for the courier contingency plans. Review of the contingency plans to ensure incorporation of all of the requirements is now assigned to the IRS/FMS security team as part of the on-site courier contingency review; Per GAO: Closed. We verified that IRS and FMS jointly reviewed the lockbox bank courier contingency plans and as a result included language in the LSG clarifying that before courier contracts are implemented, couriers must provide a disaster contingency plan to the lockbox bank addressing specific contingencies. Count: 59; ID. No.: 05-17; Recommendation: Revise the LPG to specify that courier contingency plans be available at lockbox banks. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. LPG 4.2.3.1(1) was updated June 30, 2005, to state that all banks must maintain a signed copy of the courier contingency plan on-site; Per GAO: Closed. During our fiscal year 2005 audit, we verified that IRS revised the LPG to specify that courier contingency plans be available at lockbox banks. Count: 60; ID. No.: 05-18; Recommendation: Review lockbox bank courier and shredding contracts to ensure that they address all privacy-related criteria and include clear reference to privacy-related laws and regulations. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. The LPG 4.2.3(2), was updated on January 1, 2005-- Courier Services--which requires lockbox banks to ensure all bonded courier/armored car agreements address all privacy-related criteria and include clear reference to privacy-related laws and regulations. Effective January 1, 2006, in addition to the above requirement, the LSG.2.17.6 (2)(a) added the requirement that all lockbox banks ensure shred company contracts contain clear reference to the privacy-related laws and regulations. In October 2005 the Lockbox Policy and Procedures team reviewed and confirmed that all courier and shred contracts contained all privacy related criteria. Banks must submit their contracts to the Lockbox Policy and Procedures team for their review by October 1 of each year. The courier contract is also reviewed by the IRS/FMS security staff during the on-site courier security review; Per GAO: Closed. During our fiscal year 2005 audit, we verified that the courier and shredding contracts had the required privacy-related language and related provisions set forth in the Privacy Act of 1974. In addition, we verified that the LSG requires lockbox banks to ensure that all bonded courier agreements contain privacy-related language and reminds couriers of their responsibility to not disclose taxpayer information. Count: 61; ID. No.: 05-19; Recommendation: Revise the LPG to require that (1) lockbox couriers promptly return deposit receipts to the lockbox banks following delivery of taxpayer remittances to depositories and, (2) lockbox banks promptly review the returned deposit receipts. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. IRS Lockbox Policy and Procedures Section updated the LPG on January 1, 2005--LPG 4.2.3.1.8, Receipt for Transport of IRS Lockbox Bank Deposit Form --which requires the lockbox site to receive back by the next business day the original completed Receipt for Transport of IRS Lockbox Bank Deposit Form with the bank representative's name and signature, date and time the deposit was received by the depository; and each day the lockbox site must reconcile the Receipt for Transport of IRS Lockbox Bank Deposit Form(s) to ensure receipt of dedicated service (e.g., the time between release to the courier and the release to the bank is not in excess). If discrepancies are found, the lockbox field coordinator should be notified immediately; Per GAO: Closed. During our fiscal year 2005 audit, we verified that IRS updated the LPG to require that (1) lockbox couriers return, on the next business day, deposit receipts to the lockbox banks following delivery of the taxpayer remittances to depositories and (2) lockbox banks promptly review, on a daily basis, the returned deposit receipts. Count: 62; ID. No.: 05-20; Recommendation: Revise the LPG to require that deposit receipts for taxpayer remittances be time-and date- stamped. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. The LPG was updated on January 1, 2005--LPG 4.2.3.1.8, Receipt for Transport of IRS Lockbox Bank Deposit Form--to require the courier service employee to return the form to the lockbox site on the next business day, ensuring the following information is completed on the form: the depository bank employee's name and signature, the date the deposit was received by the depository, and the time the deposit was received by the depository; Per GAO: Closed. During our fiscal year 2005 audit, we verified that IRS updated the LPG to require that deposit receipts for taxpayer remittances include the time and date of receipt by the depository institution. Count: 63; ID. No.: 05-21; Recommendation: Better enforce the LPG requirement that lockbox bank couriers annotate the time of delivery on receipts for deposits of taxpayer remittances. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. LPG 4.2.3.1.8, Receipt for Transport of IRS Lockbox Bank Deposit Form, was updated on January 1, 2005, to require lockbox bank couriers to annotate the time of delivery of receipts for deposits of taxpayer remittances. New Security Performance Measures have been developed to measure and rate each site's overall adherence to security guidelines and provides incentives/disincentives accordingly. Mission Assurance and FMS Security support the Lockbox Policy and Procedures Program Office in conducting security reviews. Reviews will rate each site's compliance to physical, personnel, courier, and IT security. Security Performance Measures is scheduled to be fully implemented by January 2006. To further prepare for filing season each year, each bank is now required to certify that they are adhering to security guidelines; Per GAO: Closed. During our fiscal year 2005 audit, we verified that IRS updated the LPG to require that couriers annotate the time of delivery of receipts for deposits of taxpayer remittances. We did not find any instances during our fiscal year 2005 testing in which the courier did not annotate the time the courier received the deposit from the bank personnel. Count: 64; ID. No.: 05-22; Recommendation: Provide a written reminder to courier contractors of the need to adhere to all courier service procedures. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. Effective January 1, 2006, the lockbox banks must provide an annual memorandum to the courier contractor reminding them that they must adhere to all of the courier service procedures in the LSG. For the campuses, Service Center Accounting held a conference (Deposit Manager's CPE on January 31, 2006) with FMS, the Federal Reserve Banks, and the servicing TGA banks and reinforced all policies and procedures governing the courier process as outlined in IRM 3.8.45; Per GAO: Open. We verified that IRS's LSG requires lockbox banks to issue an annual memorandum to courier contractors reminding them to adhere to all courier service procedures in the LSG. However, this memorandum had not been issued by the conclusion of our fiscal year 2005 fieldwork. We will evaluate IRS's corrective actions during our fiscal year 2006 audit. Count: 65; ID. No.: 05-23; Recommendation: Periodically verify that contractors entrusted with taxpayer receipts and information off site adhere to IRS procedures. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. The Lockbox LSG requires that while transporting the data from the lockbox facility, the courier vehicle used to transport taxpayer data/remittances must be locked and secured (LSG 2.13), driven directly to the destination (LSG 2.12) and the vehicle must always be under the supervision of the courier (LSG 2.13). All couriers are required to complete the same National Agency Check and Inquiry with Credit Investigation (NACIC) as bank management officials. For specific transport activities, deposit ticket and deposit transport timeframes are reviewed as part of Lockbox Performance Measures; Per GAO: Open. IRS's corrective actions do not address the intent of this recommendation, which envisioned IRS testing courier compliance through observations or similar methods. During our fiscal year 2005 audit, we found instances where couriers did not follow IRS policies and procedures while transporting receipts and information. During our observations of couriers en route, we continued to find instances where couriers either made unauthorized stops before proceeding to the depository institution or left the vehicle unattended while it contained taxpayer receipts and information. Count: 66; ID. No.: 05-24; Recommendation: Develop alternative, back-up plans that are consistent with IRS courier policies and procedures to address instances in which only one courier reports for transport of taxpayer receipts or information, such as requiring that a service center or lockbox bank employee accompany the courier to the depository. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. The 2005 LPG 4.2.3.1 "Courier Contingency Plan" was updated on July 18, 2005 (effective Aug. 29, 2005) to include a plan that ensures the security of receipts if courier requirements are not met, or the courier contractor is unable to send suitable replacement couriers in time to meet the bank's deposit deadline. Submission Processing campuses submitted contingency plans in May 2005, which outline what deposit managers are to do in the event that couriers are unable to transport a deposit in the event of non- compliance with contract requirements, vehicle breakdown, or other reasons. In addition, the implementation of the Courier Daily Checklist in April 2005 has continued to work smoothly; Per GAO: Closed. During our fiscal year 2005 audit, we verified that IRS had updated its LPG for lockbox banks and submitted contingency plans for SCCs, which outline what to do in the event that couriers are unable to transport a deposit in the event of noncompliance with contract requirements. Count: 67; ID. No.: 05-25; Recommendation: Formulate a policy to require that critical utility or security controls not be located in areas requiring frequent access. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 05-247R, Apr. 27, 2005); Per IRS: Open. Mission Assurance developed policy guidelines to address protection of security or critical controls. Mission Assurance will request transfer of this corrective action to W&I to coordinate with the business operating divisions and Procurement to incorporate any revised requirements into updated and future interagency agreements with FMS; Per GAO: Open. During our fiscal year 2005 audit, we verified that IRS continues to develop guidelines to address protection of security of critical controls. These corrective actions were not complete at the conclusion of our fiscal year 2005 fieldwork. We will continue to evaluate IRS's corrective actions during our fiscal year 2006 audit. Count: 68; ID. No.: 05-26; Recommendation: Require lockbox bank management to position closed- circuit television (CCTV) cameras to enable monitoring of secured areas containing sensitive systems or controls. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. Mission Assurance has developed and incorporated a CCTV evaluation matrix into the security review process ensuring that critical areas and assets are monitored. Every camera is assessed during the review. In addition, verbiage for the CCTV requirements is being strengthened in W&I's new proposed LSG currently under development. The LSG will require at least one camera monitor the main utility feeds. Also, the LPG requires that the IRS security controls, equipment, and utilities must be locked to prevent tampering and that keys will be controlled and limited to authorized bank employees. Mission Assurance will also include key and combination controls and management as part of its review process at the banks; Per GAO: Open. During our fiscal year 2005 audit, we found a sensitive area in a lockbox bank that was not monitored by a camera. The corrective actions planned by IRS had not been implemented at the conclusion of our fieldwork. We will continue to assess IRS's corrective actions during our fiscal year 2006 audit. Count: 69; ID. No.: 05-27; Recommendation: Periodically monitor lockbox banks' adherence to the LPG requirement that keys be kept in secured containers within the secured perimeter. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 05-247R, Apr. 27, 2005); Per IRS: Closed. The LSG was revised and published on January 1, 2006. The LSG requires strict control of keys, panels, and access to rooms and areas that contain facility utilities and controls. Lockbox banks are monitored and reviewed to ensure compliance to the policy. The Lockbox Physical Security Checklist includes checks to verify compliance to the policy. Five lockbox reviews have been conducted subsequent to publication of the LSG, and IRS has not observed any instances of this finding at any of the sites reviewed; Per GAO: Closed. During our fiscal year 2005 audit, we verified that IRS periodically monitored adherence to this requirement during its lockbox bank security reviews. Count: 70; ID. No.: 05-28; Recommendation: Assess technologies that may be exempt from the visual inspection requirement to determine whether they are acceptable methods of satisfying candling objectives and, if so, add such technologies to the LPG list of accepted candling methods. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. IRS Lockbox Policy and Procedures staff determined that current technologies are not exempt from the candling requirement and added to the 2005 LPG 3.2.8(1) that envelopes opened (either manually or by OPEX) on three or more sides must be candled once on the candling tables. All other envelopes must be candled twice on the candling tables; Per GAO: Closed. IRS's determination that current technologies are not exempt from the candling requirement, and the additional LPG guidelines added and verified by us during our fiscal year 2005 audit meets the objective of this recommendation. Count: 71; ID. No.: 05-29; Recommendation: Conduct an assessment of the costs and benefits of relying on only one candling when using certain automated equipment. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. W&I determined that a cost benefit analysis was not necessary because it previously assessed the candling function on the automated equipment. To provide additional risk mediation, W&I revised the LPG under section 3.2.8 (1) to require that envelopes opened (either manually or by OPEX equipment) on three or more sides must be candled once on the candling tables. W&I will monitor adherence during site reviews; Per GAO: Closed. IRS's determination that current technologies are not exempt from the candling requirement and the additional LPG guidelines added, and verified by us during our fiscal year 2005 audit meet the objective of this recommendation. Count: 72; ID. No.: 05-30; Recommendation: Clarify the LPG to eliminate confusion about the number of candlings required for different extraction methods. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. IRS updated the 2005 LPG 3.2.8, Candling, to require that envelopes opened (either manually or by OPEX) on three or more sides must be candled once on the candling tables. All other envelopes must be candled twice on the candling tables; Per GAO: Closed. We verified that IRS updated the LPG to clarify requirements concerning the number of candlings. Count: 73; ID. No.: 05-31; Recommendation: Establish guidelines and a testing requirement to ensure satisfactory lighting conditions for effective candling. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. IRM 3.10.72.6.2 (2) (a) requires that all candling equipment on both initial and final candling tables shall be adjusted as necessary to maintain maximum envelope recognition. Maximum envelope recognition is determined by the measurement of foot candles through use of a light meter. Minimum reading on the light meter should be 174. The testing of the candling equipment should be completed twice annually for IMF sites and quarterly for BMF sites. Testing will be completed prior to peak time-frames. Management or a designated employee will complete the candling equipment review log to verify lights are meeting minimum requirements. Light meters are available and testing has been completed at all SPCs to ensure requirements are met. Sorting table vendors have been contacted and are aware of this requirement and are adjusting all new tables that are purchased to ensure they are in compliance; Per GAO: Closed. During our fiscal year 2005 audit, we verified that IRS revised its IRM to include guidelines for testing lighting conditions for candling equipment. Count: 74; ID. No.: 05-32; Recommendation: Establish policies and procedures to require appropriate segregation of duties in small business/self-employed units of field offices with respect to preparation of Payment Posting Vouchers, Document Transmittal forms, and transmittal packages. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Open. IRS will establish a procedure(s) for SB/SE field office units to track Document Transmittal forms and acknowledgments of receipt of Document Transmittal forms. IRS will also strengthen guidance to revenue officers and will develop procedures specifically for its field clerical staff. IRS's procedures will clarify that revenue officers are responsible for submitting an appropriately labeled sealed envelope containing the Daily Report of Collection Activity form to a designated clerical contact in the post of duty (POD). This guidance will apply unless the revenue officers are working away from the POD on extended field calls, flexiplace, or are working in a single revenue officer POD. Those revenue officers will send the envelope directly to Submission Processing; Per GAO: Open. IRS's proposed corrective actions to this recommendation have not been finalized and published in the IRM. We will continue to monitor future developments in this area during our fiscal year 2006 audit. Count: 75; ID. No.: 05-33; Recommendation: Enforce the requirement that a document transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages, using such methods as more frequent inspections or increased reliance on error reports compiled by the service center teller units receiving the information. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. In 2005, Remittance Training covering the procedures for remittance processing was conducted for all TAC managers. The requirement for including a document transmittal form listing the Daily Report of Collection Activity forms in the transmittal package was emphasized. Field Assistance headquarters began operational reviews on February 28, 2006 to, among other things, ensure TAC adherence to required IRM procedures. Additional emphasis was placed on development of internal controls and the oversight and accountability of both employees and managers within Field Assistance. Specifically, Field Assurance headquarters began conducting operational reviews on February 28, 2006. The operational reviews include assessing their ability to engage employees in process and program improvement, identifying best practice ideas, ensuring elements of accountability and responsibility are clearly communicated at each level, and assessing conformance to the current policies and procedures; Per GAO: Open. During our fiscal year 2005 audit, we found that three of eight TACs we visited did not use a document transmittal to transmit multiple Daily Report of Collection Activity forms to their respective SCC for further processing. We will continue to evaluate IRS's implementation of its corrective actions during our fiscal year 2006 audit. Count: 76; ID. No.: 05-34; Recommendation: Establish a procedure for SB/SE field office units to track Document Transmittal forms and acknowledgments of receipt of Document Transmittal forms. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Open. IRS will update its procedures to clarify that the managers should ensure continuous coverage of the designated clerical contact duties so that absence due to illness or leave does not disrupt the processing of remittances; Per GAO: Open. IRS's corrective actions were not implemented during our fiscal year 2005 audit. In addition, our audit continued to find numerous instances of SB/SE groups not properly tracking document transmittal forms to ensure that taxpayer receipts and information were received by the recipient. We will evaluate IRS's corrective actions during our fiscal year 2006 audit. Count: 77; ID. No.: 05-35; Recommendation: Require evidence of managerial review of recording, transmittal, and receipt of acknowledgments of taxpayer receipts and information. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Open. IRS will establish a procedure(s) to require evidence of managerial review of recording, transmittal, and receipt of acknowledgments of taxpayer receipts and information. However, IRS will not implement any procedure requiring 100 percent managerial review. IRS's new procedures will call for random managerial spot-checking of packages prepared for submission to Submission Processing by revenue officers working in PODs or by the designated clerical contacts in the PODs. The new procedure(s) will not call for any random managerial spot- checking of packages prepared by revenue officers working away from the POD on extended field calls or flexiplace. Instead, on those packages, IRS will continue to rely on the remittance reviews conducted by remittance processing personnel in Submission Processing. These reviews will be documented by the revenue officer group manager and be retained for the appropriate period required under record management guidelines; Per GAO: Open. IRS's corrective actions were not implemented during our fiscal year 2005 audit. In addition, we continued to find numerous instances where SB/SE groups did not provide evidence that managers, or a designee, reviewed the recording, transmittal, and receipt of acknowledgements of taxpayer receipts and information to ensure that they were received and acknowledged by the recipient. We will evaluate IRS's corrective actions during our fiscal year 2006 audit. Count: 78; ID. No.: 05-36; Recommendation: Assess options to prevent the generation or disbursement of refunds associated with accounts with unresolved AUR discrepancies, including placement of a freeze or hold on all such accounts, until the AUR review has been completed. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. IRS's position is that, if followed, the procedures it has in place adequately address preventing the generation or disbursement of refunds associated with AUR accounts. IRM 3.8.45 requires employees receiving an unidentified remittance to conduct Integrated Data Retrieval System (IDRS) research to determine if there is an open account that allows for posting of the remittance. Also, AUR will partner with SP to ensure that employees receiving unidentified remittances are aware of the need to conduct IDRS research and how to properly post AUR remittances in these instances; Per GAO: Open. During our fiscal year 2005 audit, we found a technician in the Unidentified Remittance unit unaware of how to properly post remittances for AUR cases. We will continue to monitor IRS's efforts in preventing the generation or disbursements of refunds associated with AUR accounts during our fiscal year 2006 financial audit. Count: 79; ID. No.: 05-37; Recommendation: Enforce documentation requirements relating to authorizing officials charged with approving manual refunds. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. A memorandum was issued on August 3, 2005, as a reminder to solicit the annual list of authorized signatures (individuals formally delegated authority to sign manual refunds). The campuses were advised to submit a memorandum to National Office no later than October 31, certifying they had completed the request for authorized signatures. This information was also conveyed via Information Alert: W&I-IA-2002-1149-2005, dated March 17, 2005; and will be covered by BMF headquarter staff during their unannounced visits; Per GAO: Open. During our fiscal year 2005 audit, we continued to find issues with the documentation requirements relating to authorizing officials charged with approving manual refunds. For example, IRS policy requires that IRS submit a memorandum identifying the personnel designated to authorize manual refunds. The list must include the name, title/position, and signature of the designated person and official issuing the memorandum. However, during our July 2005 testing, we found memorandums that were either over a year old or lacked the required information. The reminder memorandum Submission Processing issued on August 3, 2005, was issued subsequent to our July 2005 fieldwork. We will continue to follow up on IRS's efforts to improve the documentation requirements during our fiscal year 2006 financial audit. Count: 80; ID. No.: 05-38; Recommendation: Enforce requirements for monitoring accounts and reviewing monitoring of accounts. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. Submission Processing issued an alert on the SP Web site on March 17, 2005. A reminder memorandum was issued on August 3, 2005. IRM check sheets were included, and campuses were required to confirm actions taken. IRS determined this item would not be included in the management accountability review process. As part of our commitment to improve the manual refund process, an attachment covering monitoring was included with the annual memorandum soliciting authorized manual refund signers. In response to the Service-wide Electronic Research Program (SERP) alert issued by Accounts Management, we included items that should be considered when Accounting Operations reviewed manual refund requests initiated by employees in the SP campuses. This will be covered by BMF headquarter staff during their unannounced visits; Per GAO: Open. During our fiscal year 2005 audit, we continued to find instances where the manual refund initiators did not monitor accounts to prevent duplicate refunds, and supervisors did not review the monitoring of accounts. We reviewed the alerts that IRS issued on April 1, 2005 (Monitoring Manual Refunds) and May 13, 2005 (Managerial Procedures for Manual Refunds). However, we found that some of the manual refund initiators, leads, supervisors and managers were unaware of the alerts. The reminder memorandum issued on August 3, 2005 was issued subsequent to our July 2005 testing. We will continue to review IRS's monitoring and review efforts during our fiscal year 2006 financial audit. Count: 81; ID. No.: 05-39; Recommendation: Enforce requirements for documenting monitoring actions and supervisory review. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. Submission Processing issued a reminder memorandum on August 3, 2005. IRM check sheets were included, and campuses were required to confirm actions taken. IRS determined this item would not be included in the management accountability review process. As part of our commitment to improve the manual refund process, an attachment covering monitoring was included with the annual memorandum soliciting authorized manual refund signers. In response to the SERP alert issued by Accounts Management, we included items that should be considered when Accounting Operations reviewed manual refund requests initiated by employees in the SP campuses. This will be covered by BMF headquarter staff during their unannounced visits; Per GAO: Open. During our fiscal year 2005 audit, we found the requirements for documenting monitoring actions and documenting supervisory review were not always enforced. The reminder memorandum issued on August 3, 2005, was issued subsequent to our July 2005 testing. We will continue to monitor IRS's efforts in documenting the monitoring actions and documenting the supervisory review during our fiscal year 2006 financial audit. Count: 82; ID. No.: 05-40; Recommendation: Enforce the requirement that command code profiles be reviewed at least once annually. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Closed. SP supports Mission Assurance in enforcing IDRS security by ensuring appropriate officials are reminded annually of their security obligations. A memorandum, including IDRS security and the Automated Command Code Access Control, was issued August 3, 2005. IRS determined this item would not be included in the management accountability review process. An overview of the Automated Command Code Access Control (ACCAC) program was included in our Annual Solicitation for Authorized Signatures - Manual Refunds memorandum, dated August 3, 2005. This will be covered by BMF headquarter staff during their unannounced visits; Per GAO: Open. During our fiscal year 2005 audit, we found that the requirement for the annual review of command code profiles was not always enforced. The reminder memorandum issued on August 3, 2005 was issued subsequent to our July 2005 fieldwork. We will continue to follow up on IRS's efforts in enforcing the requirement to review command code profiles at least once annually during our fiscal year 2006 financial audit. Count: 83; ID. No.: 05-41; Recommendation: Specify in the IRM that staff members are not to review their own command code profiles. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005); Per IRS: Open. The IRM wording will be updated, and recommendations will be included in annual reminders (memos, notices, etc.) to management officials that the approver's manager is responsible for ensuring that approvers' profiles have appropriate restrictions and have been reviewed. Mission Assurance updated its project Web page in January 2005, advising managers and unit security representatives to review IDRS user profiles to ensure that the appropriate restrictions have been added to the user's profile. Limited staffing resources have impacted the actual updating of the IDRS Security Law Enforcement Manual (LEM). The LEM wording will be updated to require managers and unit security representatives to review the IDRS security profiles to ensure that appropriate restrictions have been placed against the user's IDRS account. The LEM is expected to be revised by July 15, 2006; Per GAO: Open. During our fiscal year 2005 audit, we found that the IRM wording to specify that staff members to not review their own command code profiles had not been updated. We will continue to monitor IRS's efforts in preventing staff members to review their own command code profiles during our fiscal year 2006 audit. Count: 84; ID. No.: 05-42; Recommendation: Specify in the IRM how to properly verify interest and penalties for accounts with liens with manually calculated interest or penalties. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 05-247R, Apr. 27, 2005); Per IRS: Closed. IRS revised the IRM to instruct employees to check the IDRS to determine if restricted interest or penalty is due. The IRM now clearly states that there are only two instances where restricted interest and penalty should not be computed, offer-in-compromise and bankruptcy cases. Also, instructions for computing restricted interest and penalty are found in the ALS User Guide as well as in training material and desk guides. In addition, tax examiners hired to staff the Centralized Case Processing (CCP), Lien Processing Unit were provided hands-on training in the computation of restricted interest and penalty. Resolution of these cases moved to CCP effective February 2005. The centralized site has created a special group of employees who were trained in the resolution of restricted interest and penalty cases. New hires for this group will also receive this training. The LEM will be updated to reflect the changes made by the RIS; Per GAO: Open. According to IRS, an internal study determined that the dollar amounts of additional interest and penalty to be assessed on cases with liens requiring manual calculations was not significant. Consequently, IRS is in the process of revising the IRM to no longer require the additional manual computation and assessment of interest and penalty on such cases. In addition, IRS updated its computer programs to automatically release liens once the current account balance had been satisfied. IRS's actions are based on its determination that the additional interest and penalty amounts are not significant. We will review the results of IRS's internal analysis during our fiscal year 2006 audit. Count: 85; ID. No.: 06-01; Recommendation: Require that Refund Inquiry Unit managers or supervisors document their review of all forms used to record and transmit returned refund checks prior to sending them for final processing. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 86; ID. No.: 06-02; Recommendation: Enforce compliance with existing requirements that all IRS units transmitting taxpayer receipts and information from one IRS facility to another, including SCCs, TACs, and units within LMSB and TE/GE, establish a system to track acknowledged copies of document transmittals. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 87; ID. No.: 06-03; Recommendation: Provide instructions to document the follow-up procedures performed in those cases where transmittals have not been timely acknowledged. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 88; ID. No.: 06-04; Recommendation: Require that managers or supervisors document their reviews of document transmittals to ensure that taxpayer receipts and/or taxpayer information mailed between IRS locations are tracked according to guidelines. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 89; ID. No.: 06-05; Recommendation: Equip all TACs with adequate physical security controls to deter and prevent unauthorized access to restricted areas or office space occupied by other IRS units, including those TACs that are not scheduled to be reconfigured to the "new TAC" model in the near future. This includes appropriately separating customer service waiting areas from restricted areas by physical barriers such as locked doors marked with signs barring entrance by unescorted customers. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 90; ID. No.: 06-06; Recommendation: Connect duress alarms to a central monitoring station or local police department or institute appropriate compensating controls when these alarm systems are not operable or in place. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 91; ID. No.: 06-07; Recommendation: Document supervisory visits by offsite managers to TACs not having a manager permanently on-site. This documentation should be signed by the manager and should (1) record the time and date of the visit, (2) identify the manager performing the visit, (3) indicate the tasks performed during the visit, (4) note any problems identified, and (5) describe corrective actions planned. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 92; ID. No.: 06-08; Recommendation: Enforce the requirement that all security or other responsible personnel at SCCs and lockbox banks record all instances involving the activation of intrusion alarms regardless of the circumstances that may have caused the activation. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 93; ID. No.: 06-09; Recommendation: Reemphasize the need for the security guards at all TACs to ensure that key PODs, such as entrances to facilities, are not left unattended. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 06-543R, May 12, 2006); Per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 94; ID. No.: 06-10; Recommendation: Revise lockbox bank's security review checklist to ensure that it encompasses reviewing security incident reports to validate whether security personnel are providing corrective actions related to the incidents cited. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 95; ID. No.: 06-11; Recommendation: Refine the scope and nature of its periodic reviews of candling processes at SCCs to ensure they (1) encompass tests of whether envelopes are properly candled through observation of candling in process and inquiry of employees who perform initial and final candling, and (2) document the nature and scope of the test and observation results. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 06-543R, May 12, 2006); Per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 96; ID. No.: 06-12; Recommendation: Enforce its existing policies and procedures at lockbox banks to ensure that all remittances of $50,000 or more are processed immediately and deposited at the first available opportunity. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 97; ID. No.: 06-13; Recommendation: Refine the scope and nature of its periodic reviews of lockbox banks to include high dollar remittances to better monitor adherence to the requirement that they are processed immediately and deposited at the first available opportunity. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 98; ID. No.: 06-14; Recommendation: Refine the scope and nature of its periodic security reviews to encompass (1) testing the effectiveness of controls intended to ensure that only individuals with proper credentials are permitted access to SCCs and lockbox banks, and (2) reviewing the integrity of perimeter security at SCCs. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 99; ID. No.: 06-15; Recommendation: Revise the physical security procedures contained in the IRM to require that all SCCs and any respective annex facilities processing taxpayer receipts and/or information perform and document monthly tests of the facility's intrusion detection alarms. At a minimum, these procedures should (1) outline the type of test to be conducted, (2) include criteria for assessing whether the controls used to respond to the alarm were effective, and (3) require that a logbook be maintained to document the test dates, results, and response information. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 100; ID. No.: 06-16; Recommendation: Amend its policy to require that a completed form 13094 with a positive recommendation be provided for every juvenile hired to any position that will allow access to taxpayer receipts and/or taxpayer information. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 101; ID. No.: 06-17; Recommendation: Require IRS personnel to verify the information on the form 13094 by contacting the reference directly. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 102; ID. No.: 06-18; Recommendation: Revise the form 13094 to require the reference to describe his/her relationship with the juvenile, including extent of first-hand contact, to allow IRS to review the forms and assess whether the referencer has sufficient basis to recommend that juvenile to a position of trust. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 103; ID. No.: 06-19; Recommendation: Establish procedures for hiring juveniles who do not have a current teacher, principal, counselor, employer or former employer, and clarify that IRS's current policies and procedures should not be interpreted to mean that such juveniles should be allowed access to taxpayer receipts and information without a form 13094 or its equivalent. These procedures could include a list of acceptable alternatives that may serve as references for juveniles who do not have a current teacher, principal, or guidance counselor. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 104; ID. No.: 06-20; Recommendation: To assure proper accounting treatment of expense and P&E transactions and reliable financial reporting, we recommend that IRS enforce its property and equipment capitalization policy to ensure that it is properly implemented to fully achieve management's objectives, including recognizing assets when its capitalization criteria is met and recognizing expenses when it is not. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 105; ID. No.: 06-21; Recommendation: Generate aging reports when an asset remains in pending disposal status for longer than a specified period of time. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Per IRS: Open. In March 2006 the chief information officer (CIO) property program manager informed GAO that issues raised in the FY 2005 Financial Statement Audit are being addressed via a re-engineering effort focused on the entire asset retirement and disposal process. As such, reports are currently available to monitor aging transactions during the disposal life cycle. Additionally, procedures are being developed to require reviews of aging reports for the timely recording of disposal transactions. Substantial software modifications are being designed to improve the recording of information by replacing manual data entry methods by using electronic forms, signatures, and processes. In August 2006 these modifications and review procedures will be implemented to streamline the recording of asset disposal activity as required by IRS policy; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Count: 106; ID. No.: 06-22; Recommendation: Direct Facilities Management Branch managers to research and resolve the aging reports. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Per IRS: Open. AWSS and CIO property managers have been working on reengineering the entire asset retirement and disposal process to mitigate issues raised in GAO's FY 2005 Financial Statement Audit. CIO staff reported on that initiative to GAO in March 2006. As such, reports are currently available for management to monitor the status of aging transaction dates until the disposal process is complete. Also, review procedures are being developed to streamline the process to ensure the timely recording of disposal transactions. In August 2006, reengineered process modifications and review procedures will be implemented and guidance for conducting reviews will be issued; Per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. Sources: IRS updates detailing IRS actions to address GAO's recommendations and GAO's analysis of IRS's actions. [End of table] [End of section] Appendix II: Comments from the Internal Revenue Service: Department Of The Treasury: Internal Revenue Service: Washington, D.C. 20224: Commissioner: May 25, 2006: Mr. Steven J. Sebastian: Director: Financial Management and Assurance: U.S. Government Accountability Office: 441 G Street, N.W. Washington, D.C. 20548: Dear Mr. Sebastian: Thank you for the opportunity to review and comment on your draft report entitled, "Internal Revenue Service: Status of Recommendations from Financial Audits and Related Financial Reports" (GAO-06-560). We are pleased that you acknowledged our progress in addressing our financial management challenges and agreed to close 34 of the 84 open financial management recommendations from last year's report. Although 22 new recommendations were added, the total number of open recommendations continues to decrease. We have taken actions to address your recommendations and improve our internal controls. For example, we expanded our reportable condition plan for controls over hard-copy tax receipts. This plan now includes comprehensive actions to address your recommendations for lockboxes, submission processing campuses, Taxpayer Assistance Centers, and field offices. The Financial and Management Controls Executive Steering Committee will monitor the plan until completed. We appreciate your mapping the 72 open recommendations to specific internal control activities and grouping them into three broad control activities, Safeguarding of assets and security activities, Proper recording and documenting of transactions, and Effective management review and oversight. This approach provides additional information on the internal control issues and facilitates our strategy to address the financial management issues. I appreciate your willingness to work with us throughout the year to improve our internal controls. Your staff has met with representatives of the business units on many occasions to assist us in developing action plans to resolve these issues. If you have any questions, please contact Janice Lambert, Chief Financial Officer, at (202) 622-6400. Sincerely, Signed by: Mark W. Everson: [End of section] Appendix III: Staff Acknowledgments: The following individuals made major contributions to this report: William J. Cordrey, Charles Fox, Paul Foderaro, Nina Crocker, John Davis, Charles Ego, David Elder, Ted Hu, Jerrod O'Nelio, John Sawyer, Peggy Smith, Lisa Warde, Gary Wiggins, and Mark Yoder. (196093) Footnotes: [1] Management is responsible for establishing and maintaining internal control to achieve the objectives of effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. Part of the actions required by agencies and individual federal managers includes taking proactive measures to develop and implement appropriate, cost-effective internal control for results-oriented management; to assess the adequacy of internal control in federal programs and operations; to identify needed improvements; and to take corresponding corrective actions. [2] A material weakness is a reportable condition that precludes the entity's internal controls from providing reasonable assurance that material misstatements in the financial statements would be prevented or detected on a timely basis. Reportable conditions represent significant deficiencies in the design or operation of internal controls that could adversely affect an entity's ability to initiate, authorize, record, process, or report financial data reliably. [3] The Circular was revised in December 2004. The circular states that the revision followed a reexamination of the existing internal control requirements for federal agencies that was initiated in light of the new internal control requirements for publicly traded companies contained in the Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 stat. 745 (July 30, 2002). However, the revised circular states that it is not effective until fiscal year 2006. Therefore, during the period covered by our fiscal year 2005 audit of IRS's financial statements, IRS had to comply with the requirements contained in the prior circular version, OMB Circular No. A-123, Management Accountability and Control (June 21, 1995). [4] GAO, Standards for Internal Control in the Federal Government, GAO/ AIMD-00-21.3.1 (November 1999). [5] The circular requires agencies and individual federal managers to take systematic and proactive measures to (1) develop and implement appropriate, cost-effective internal control for results-oriented management; (2) assess the adequacy of internal control in federal programs and operations; (3) separately assess and document internal control over financial reporting consistent with the process defined in Appendix A of the circular; (4) identify needed improvements; (5) take corresponding corrective action; and (6) report annually on internal control through management assurance statements. [6] GAO, Internal Control Standards: Internal Control Management and Evaluation Tool, GAO-01-1008G (Washington, D.C.: August 2001). [7] GAO, Internal Revenue Service: Status of Recommendations from Financial Audits and Related Financial Management Reports, GAO-05-393 (Washington, D.C.: Apr. 29, 2005). [8] GAO, Management Report: Improvements Needed in IRS's Internal Controls, GAO-06-543R (Washington, D.C.: May 12, 2006). [9] Short-term recommendations are defined as those that could be addressed within 2 years at the time we made the recommendation. Long- term recommendations are defined as those expected to require 2 years or more to implement at the time we made the recommendation. [10] The vast majority of federal tax payments are made for both businesses and individuals via the Electronic Federal Tax Payment System (EFTPS). [11] Information security controls include electronic access controls, software change controls, physical security, segregation of duties, and service continuity. These controls are designed to ensure that access to data is appropriately restricted, that only authorized changes to computer programs are made, that physical access to sensitive computing resources and facilities is protected, that computer security duties are segregated, and that backup and recovery plans are adequate to ensure the continuity of essential operations. [12] GAO, Information Security: Continued Progress Needed to Strengthen Controls at the Internal Revenue Service, GAO-06-328 (Washington, D.C.: Mar. 23, 2006). [13] Exception reports are one of the measures listed in GAO's Internal Control Management Evaluation Tool (GAO-01-1008G) as an information processing function. [14] Most refunds are generated automatically. However, under certain circumstances, IRS processes refunds manually to expedite payment. Such refunds include those over $10 million, those requested by taxpayers for immediate payment due to hardship or emergency, those to beneficiaries of deceased taxpayers, and those that need to be expedited because IRS is in jeopardy of paying interest for exceeding the 45-day limit for processing a return. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: